Add fineGrainedAuthorization flag (#2188)

* Add fineGrainedAuthorization flag

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Add test case covering fineGrainedAuthorization=true

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Update RBAC

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Use annotations instead of a CRD change for fine-grainted authz

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Update RBAC

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Use annotations instead of a CRD change for fine-grainted authz

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Update RBAC

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

* Remove duplicates

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

---------

Signed-off-by: Jon Rosario <jon.rosario@datadoghq.com>

Author: triviajon

config/rbac/role.yaml

@@ -54,7 +54,11 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - nodes/configz
+  - nodes/healthz
+  - nodes/logs
   - nodes/metrics
+  - nodes/pods
   - nodes/proxy
   - nodes/spec
   - nodes/stats

internal/controller/datadogagent/component/agent/rbac.go

@@ -15,9 +15,9 @@ import (
 // RBAC for Agent
 
 // GetDefaultAgentClusterRolePolicyRules returns the default policy rules for the Agent cluster role
-func GetDefaultAgentClusterRolePolicyRules(excludeNonResourceRules bool) []rbacv1.PolicyRule {
+func GetDefaultAgentClusterRolePolicyRules(excludeNonResourceRules bool, useFineGrainedAuthorization bool) []rbacv1.PolicyRule {
 	policyRule := []rbacv1.PolicyRule{
-		getKubeletPolicyRule(),
+		getKubeletPolicyRule(useFineGrainedAuthorization),
 		getEndpointsPolicyRule(),
 		getLeaderElectionPolicyRule(),
 		component.GetEKSControlPlaneMetricsPolicyRule(),
@@ -40,16 +40,31 @@ func getMetricsEndpointPolicyRule() rbacv1.PolicyRule {
 	}
 }
 
-func getKubeletPolicyRule() rbacv1.PolicyRule {
-	return rbacv1.PolicyRule{
-		APIGroups: []string{rbac.CoreAPIGroup},
-		Resources: []string{
+func getKubeletPolicyRule(useFineGrainedAuthorization bool) rbacv1.PolicyRule {
+	var resources []string
+	if useFineGrainedAuthorization {
+		resources = []string{
+			rbac.NodeMetricsResource,
+			rbac.NodeSpecResource,
+			rbac.NodeStats,
+			rbac.NodePodsResource,
+			rbac.NodeHealthzResource,
+			rbac.NodeConfigzResource,
+			rbac.NodeLogsResource,
+		}
+	} else {
+		resources = []string{
 			rbac.NodeMetricsResource,
 			rbac.NodeSpecResource,
 			rbac.NodeProxyResource,
 			rbac.NodeStats,
-		},
-		Verbs: []string{rbac.GetVerb},
+		}
+	}
+
+	return rbacv1.PolicyRule{
+		APIGroups: []string{rbac.CoreAPIGroup},
+		Resources: resources,
+		Verbs:     []string{rbac.GetVerb},
 	}
 }
 

internal/controller/datadogagent/feature/utils/utils.go

@@ -18,6 +18,7 @@ import (
 
 const ProcessConfigRunInCoreAgentMinVersion = "7.60.0-0"
 const EnableADPAnnotation = "agent.datadoghq.com/adp-enabled"
+const EnableFineGrainedKubeletAuthz = "agent.datadoghq.com/fine-grained-kubelet-authorization-enabled"
 
 func agentSupportsRunInCoreAgent(ddaSpec *v2alpha1.DatadogAgentSpec) bool {
 	// Agent version must >= 7.60.0 to run feature in core agent
@@ -61,3 +62,8 @@ func hasFeatureEnableAnnotation(dda metav1.Object, annotation string) bool {
 func HasAgentDataPlaneAnnotation(dda metav1.Object) bool {
 	return hasFeatureEnableAnnotation(dda, EnableADPAnnotation)
 }
+
+// HasFineGrainedKubeletAuthz returns true if the feature is enabled via the dedicated `agent.datadoghq.com/fine-grained-kubelet-authorization-enabled` annotation
+func HasFineGrainedKubeletAuthz(dda metav1.Object) bool {
+	return hasFeatureEnableAnnotation(dda, EnableFineGrainedKubeletAuthz)
+}

internal/controller/datadogagent/global/dependencies.go

@@ -22,6 +22,7 @@ import (
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/component/clusterchecksrunner"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/component/objects"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature"
+	featureutils "github.com/DataDog/datadog-operator/internal/controller/datadogagent/feature/utils"
 	"github.com/DataDog/datadog-operator/internal/controller/datadogagent/object"
 	"github.com/DataDog/datadog-operator/pkg/constants"
 	"github.com/DataDog/datadog-operator/pkg/controller/utils"
@@ -302,14 +303,15 @@ func nodeAgentDependencies(ddaMeta metav1.Object, ddaSpec *v2alpha1.DatadogAgent
 	var errs []error
 	serviceAccountName := constants.GetAgentServiceAccount(ddaMeta.GetName(), ddaSpec)
 	rbacResourcesName := agent.GetAgentRoleName(ddaMeta)
+	useFineGrainedAuthorization := featureutils.HasFineGrainedKubeletAuthz(ddaMeta)
 
 	// Service account
 	if err := manager.RBACManager().AddServiceAccountByComponent(ddaMeta.GetNamespace(), serviceAccountName, string(v2alpha1.NodeAgentComponentName)); err != nil {
 		errs = append(errs, err)
 	}
 
 	// ClusterRole creation
-	if err := manager.RBACManager().AddClusterPolicyRulesByComponent(ddaMeta.GetNamespace(), rbacResourcesName, serviceAccountName, agent.GetDefaultAgentClusterRolePolicyRules(disableNonResourceRules(ddaSpec)), string(v2alpha1.NodeAgentComponentName)); err != nil {
+	if err := manager.RBACManager().AddClusterPolicyRulesByComponent(ddaMeta.GetNamespace(), rbacResourcesName, serviceAccountName, agent.GetDefaultAgentClusterRolePolicyRules(disableNonResourceRules(ddaSpec), useFineGrainedAuthorization), string(v2alpha1.NodeAgentComponentName)); err != nil {
 		errs = append(errs, err)
 	}
 

internal/controller/datadogagent/global/global_test.go

@@ -704,6 +704,64 @@ func TestNodeAgentComponenGlobalSettings(t *testing.T) {
 			wantVolumes:               getExpectedVolumes(),
 			want:                      assertAll,
 		},
+		{
+			name:                           "Fine grained authorization enabled",
+			singleContainerStrategyEnabled: false,
+			dda: testutils.NewDatadogAgentBuilder().
+				WithCredentials("apiKey", "appKey").
+				WithGlobalKubeletConfig(hostCAPath, agentCAPath, true, podResourcesSocketDir).
+				WithAnnotations(map[string]string{"agent.datadoghq.com/fine-grained-kubelet-authorization-enabled": "true"}).
+				BuildWithDefaults(),
+			wantCoreAgentEnvVars: nil,
+			wantEnvVars: getExpectedEnvVars([]*corev1.EnvVar{
+				{
+					Name: constants.DDAPIKey,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "-secret",
+							},
+							Key: v2alpha1.DefaultAPIKeyKey,
+						},
+					},
+				},
+				{
+					Name: constants.DDAppKey,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "-secret",
+							},
+							Key: v2alpha1.DefaultAPPKeyKey,
+						},
+					},
+				},
+				{
+					Name: DDClusterAgentAuthToken,
+					ValueFrom: &corev1.EnvVarSource{
+						SecretKeyRef: &corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "-token",
+							},
+							Key: common.DefaultTokenKey,
+						},
+					},
+				},
+				{
+					Name:  DDKubeletTLSVerify,
+					Value: "true",
+				},
+				{
+					Name:  DDKubeletCAPath,
+					Value: agentCAPath,
+				},
+			}...),
+			wantCoreAgentVolumeMounts: getExpectedVolumeMounts(kubeletCAVolumes),
+			wantVolumeMounts:          getExpectedVolumeMounts(kubeletCAVolumes),
+			wantVolumes:               getExpectedVolumes(kubeletCAVolumes),
+			want:                      assertAll,
+			wantDependency:            assertClusterRolesFineGrainedAuthz,
+		},
 	}
 
 	for _, tt := range tests {
@@ -956,6 +1014,52 @@ func assertSecretBackendSpecificPerms(t testing.TB, resourcesManager feature.Res
 	}
 }
 
+func assertClusterRolesFineGrainedAuthz(t testing.TB, resourcesManager feature.ResourceManagers) {
+	store := resourcesManager.Store()
+
+	rObj, found := store.Get(kubernetes.ClusterRolesKind, "", "-agent")
+	if !found {
+		t.Error("Should have created ClusterRole")
+	}
+
+	role, ok := rObj.(*rbacv1.ClusterRole)
+	if !ok {
+		t.Error("ClusterRole has wrong type")
+	}
+
+	required := []string{
+		rbac.NodeConfigzResource,
+		rbac.NodeHealthzResource,
+		rbac.NodeLogsResource,
+		rbac.NodePodsResource,
+	}
+	unwanted := []string{rbac.NodeProxyResource}
+
+	for _, rule := range role.Rules {
+		allRequired := true
+		for _, r := range required {
+			if !slices.Contains(rule.Resources, r) {
+				allRequired = false
+				break
+			}
+		}
+		if !allRequired {
+			continue
+		}
+		for _, r := range unwanted {
+			if slices.Contains(rule.Resources, r) {
+				allRequired = false
+				break
+			}
+		}
+		if allRequired {
+			return
+		}
+	}
+
+	t.Error("ClusterRole does not have the expected resources")
+}
+
 func Test_UseFIPSAgent(t *testing.T) {
 	logger := logf.Log.WithName("Test_UseFIPSAgent")
 

internal/controller/datadogagent_controller.go

@@ -108,6 +108,10 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups="",resources=nodes/proxy,verbs=get
 // +kubebuilder:rbac:groups="",resources=nodes/spec,verbs=get
 // +kubebuilder:rbac:groups="",resources=nodes/stats,verbs=get
+// +kubebuilder:rbac:groups="",resources=nodes/pods,verbs=get
+// +kubebuilder:rbac:groups="",resources=nodes/healthz,verbs=get
+// +kubebuilder:rbac:groups="",resources=nodes/configz,verbs=get
+// +kubebuilder:rbac:groups="",resources=nodes/logs,verbs=get
 // +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete

pkg/kubernetes/rbac/const.go

@@ -68,7 +68,11 @@ const (
 	MutatingConfigResource              = "mutatingwebhookconfigurations"
 	NamespaceResource                   = "namespaces"
 	NetworkPolicyResource               = "networkpolicies"
+	NodeConfigzResource                 = "nodes/configz"
+	NodeHealthzResource                 = "nodes/healthz"
+	NodeLogsResource                    = "nodes/logs"
 	NodeMetricsResource                 = "nodes/metrics"
+	NodePodsResource                    = "nodes/pods"
 	NodeProxyResource                   = "nodes/proxy"
 	NodeSpecResource                    = "nodes/spec"
 	NodesResource                       = "nodes"