Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CONTINT-4500] [helm] Add EKS Clusterrole Rule for EKS control plane metrics #1686

Merged
merged 2 commits into from
Feb 4, 2025
Merged

[CONTINT-4500] [helm] Add EKS Clusterrole Rule for EKS control plane metrics #1686

merged 2 commits into from
Feb 4, 2025

Conversation

justin-lesko
Copy link
Contributor

@justin-lesko justin-lesko commented Feb 3, 2025
edited
Loading

What this PR does / why we need it:

This PR adds a clusterrole rule necessary to allow the agent to query the EKS metrics API as described in the official AWS blog post

Which issue this PR fixes

Special notes for your reviewer:

I tested this by deploying the updated chart to my EKS cluster and validated that the datadog-agent clusterrole contains the new rule

Validate the helm chart is using the latest local
❯ helm ls
NAME         	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART         	APP VERSION
datadog-agent	default  	1       	2025-02-03 15:12:57.193742 -0500 EST	deployed	datadog-3.90.1	7
Validate the last rule is allowing EKS queries
❯ k get clusterrole datadog-agent -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-name: datadog-agent
    meta.helm.sh/release-namespace: default
  creationTimestamp: "2025-02-03T20:12:58Z"
  labels:
    app.kubernetes.io/instance: datadog-agent
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: datadog-agent
    app.kubernetes.io/version: "7"
    helm.sh/chart: datadog-3.90.1
  name: datadog-agent
  resourceVersion: "1704410"
  uid: e8e54a1b-4b5a-4636-877f-9ff57eecc0c0
rules:
- nonResourceURLs:
  - /metrics
  - /metrics/slis
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes/metrics
  - nodes/spec
  - nodes/proxy
  - nodes/stats
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
- apiGroups:
  - security.openshift.io
  resourceNames:
  - datadog-agent
  - hostaccess
  - privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
- apiGroups:
  - metrics.eks.amazonaws.com
  resources:
  - kcm/metrics
  - ksh/metrics
  verbs:
  - get

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • Chart Version bumped
  • Documentation has been updated with helm-docs (run: .github/helm-docs.sh)
  • CHANGELOG.md has been updated
  • Variables are documented in the README.md
  • For Datadog Operator chart or value changes update the test baselines (run: make update-test-baselines)

@github-actions github-actions bot added the chart/datadog This issue or pull request is related to the datadog chart label Feb 3, 2025
@justin-lesko justin-lesko changed the title Add rule to clusterrole so the node agent can query the EKS control p… [CONTINT-4500] Add EKS Clusterrole Rule for EKS control plane metrics Feb 3, 2025
@justin-lesko justin-lesko marked this pull request as ready for review February 3, 2025 20:31
@justin-lesko justin-lesko requested a review from a team as a code owner February 3, 2025 20:31
clamoriniere
clamoriniere reviewed Feb 4, 2025
View reviewed changes
charts/datadog/templates/rbac.yaml
Comment on lines +132 to +138
- apiGroups: # EKS kube_scheduler and kube_controller_manager control plane metrics
- "metrics.eks.amazonaws.com"
resources:
- kcm/metrics
- ksh/metrics
verbs:
- get
Copy link
Collaborator

@clamoriniere clamoriniere Feb 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't sure but this clusterrole is also use for the cluster-check-runner service account https://github.com/DataDog/helm-charts/blob/main/charts/datadog/templates/agent-clusterchecks-rbac.yaml so it should be ok when the check run as cluster check

@justin-lesko justin-lesko changed the title [CONTINT-4500] Add EKS Clusterrole Rule for EKS control plane metrics [CONTINT-4500] [helm] Add EKS Clusterrole Rule for EKS control plane metrics Feb 4, 2025
@justin-lesko justin-lesko mentioned this pull request Feb 4, 2025
Merged
5 tasks
@justin-lesko justin-lesko merged commit 0b87ebc into main Feb 4, 2025
26 checks passed
@justin-lesko justin-lesko deleted the justin/CONTINT-4500_add-eks-rule-to-clusterrole branch February 4, 2025 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clamoriniere clamoriniere clamoriniere approved these changes

Assignees
No one assigned
Labels
chart/datadog This issue or pull request is related to the datadog chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@justin-lesko @clamoriniere