[CONTP-519] Support k8s admin events in operator (#1575)

* Support k8s admin events in operator
DataDog · Dec 18, 2024 · 6f3a79f · 6f3a79f
1 parent ca01a8d
commit 6f3a79f
Show file tree

Hide file tree

Showing 9 changed files with 168 additions and 22 deletions.
diff --git a/api/datadoghq/v2alpha1/datadogagent_default.go b/api/datadoghq/v2alpha1/datadogagent_default.go
@@ -79,6 +79,9 @@ const (
 	defaultAdmissionControllerMutationEnabled                 bool   = true
 	defaultAdmissionControllerMutateUnlabelled                bool   = false
 	defaultAdmissionServiceName                               string = "datadog-admission-controller"
+
+	defaultAdmissionControllerKubernetesAdmissionEventsEnabled bool = false
+
 	// DefaultAdmissionControllerCWSInstrumentationEnabled default CWS Instrumentation enabled value
 	DefaultAdmissionControllerCWSInstrumentationEnabled bool = false
 	// DefaultAdmissionControllerCWSInstrumentationMode default CWS Instrumentation mode
@@ -495,6 +498,12 @@ func defaultFeaturesConfig(ddaSpec *DatadogAgentSpec) {
 		apiutils.DefaultBooleanIfUnset(&agentSidecarInjection.ClusterAgentCommunicationEnabled, defaultAdmissionControllerAgentSidecarClusterAgentEnabled)
 	}
 
+	// K8s Admission Events in AdmissonController Feature
+	if ddaSpec.Features.AdmissionController.KubernetesAdmissionEvents == nil {
+		ddaSpec.Features.AdmissionController.KubernetesAdmissionEvents = &KubernetesAdmissionEventsConfig{}
+	}
+	apiutils.DefaultBooleanIfUnset(&ddaSpec.Features.AdmissionController.KubernetesAdmissionEvents.Enabled, defaultAdmissionControllerKubernetesAdmissionEventsEnabled)
+
 	// CWS Instrumentation in AdmissionController Feature
 	if ddaSpec.Features.AdmissionController.CWSInstrumentation == nil {
 		ddaSpec.Features.AdmissionController.CWSInstrumentation = &CWSInstrumentationConfig{}

diff --git a/api/datadoghq/v2alpha1/datadogagent_default_test.go b/api/datadoghq/v2alpha1/datadogagent_default_test.go
@@ -288,6 +288,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -479,6 +482,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(valueFalse),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(valueFalse),
+						},
 					},
 					ExternalMetricsServer: &ExternalMetricsServerFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(valueFalse),
@@ -624,6 +630,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -765,6 +774,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -901,6 +913,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1039,6 +1054,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1182,6 +1200,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1321,6 +1342,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1457,6 +1481,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1483,6 +1510,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(true),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 				},
 			},
@@ -1605,6 +1635,9 @@ func Test_defaultFeatures(t *testing.T) {
 							Enabled: apiutils.NewBoolPointer(valueTrue),
 							Mode:    apiutils.NewStringPointer(DefaultAdmissionControllerCWSInstrumentationMode),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1742,6 +1775,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -1900,6 +1936,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),
@@ -2049,6 +2088,9 @@ func Test_defaultFeatures(t *testing.T) {
 						CWSInstrumentation: &CWSInstrumentationConfig{
 							Enabled: apiutils.NewBoolPointer(DefaultAdmissionControllerCWSInstrumentationEnabled),
 						},
+						KubernetesAdmissionEvents: &KubernetesAdmissionEventsConfig{
+							Enabled: apiutils.NewBoolPointer(defaultAdmissionControllerKubernetesAdmissionEventsEnabled),
+						},
 					},
 					PrometheusScrape: &PrometheusScrapeFeatureConfig{
 						Enabled: apiutils.NewBoolPointer(defaultPrometheusScrapeEnabled),

diff --git a/api/datadoghq/v2alpha1/datadogagent_types.go b/api/datadoghq/v2alpha1/datadogagent_types.go
@@ -729,6 +729,10 @@ type AdmissionControllerFeatureConfig struct {
 	// +optional
 	Registry *string `json:"registry,omitempty"`
 
+	// KubernetesAdmissionEvents holds the Kubernetes Admission Events configuration.
+	// +optional
+	KubernetesAdmissionEvents *KubernetesAdmissionEventsConfig `json:"kubernetesAdmissionEvents,omitempty"`
+
 	// CWSInstrumentation holds the CWS Instrumentation endpoint configuration
 	// +optional
 	CWSInstrumentation *CWSInstrumentationConfig `json:"cwsInstrumentation,omitempty"`
@@ -809,6 +813,13 @@ type Profile struct {
 	ResourceRequirements *corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
+type KubernetesAdmissionEventsConfig struct {
+	// Enable the Kubernetes Admission Events feature.
+	// Default: false
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 // CWSInstrumentationConfig contains the configuration of the CWS Instrumentation admission controller endpoint.
 type CWSInstrumentationConfig struct {
 	// Enable the CWS Instrumentation admission controller endpoint.

diff --git a/api/datadoghq/v2alpha1/zz_generated.deepcopy.go b/api/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents.yaml b/config/crd/bases/v1/datadoghq.com_datadogagents.yaml
@@ -435,6 +435,15 @@ spec:
                         failurePolicy:
                           description: FailurePolicy determines how unrecognized and timeout errors are handled.
                           type: string
+                        kubernetesAdmissionEvents:
+                          description: KubernetesAdmissionEvents holds the Kubernetes Admission Events configuration.
+                          properties:
+                            enabled:
+                              description: |-
+                                Enable the Kubernetes Admission Events feature.
+                                Default: false
+                              type: boolean
+                          type: object
                         mutateUnlabelled:
                           description: |-
                             MutateUnlabelled enables config injection without the need of pod label 'admission.datadoghq.com/enabled="true"'.
@@ -7170,6 +7179,15 @@ spec:
                             failurePolicy:
                               description: FailurePolicy determines how unrecognized and timeout errors are handled.
                               type: string
+                            kubernetesAdmissionEvents:
+                              description: KubernetesAdmissionEvents holds the Kubernetes Admission Events configuration.
+                              properties:
+                                enabled:
+                                  description: |-
+                                    Enable the Kubernetes Admission Events feature.
+                                    Default: false
+                                  type: boolean
+                              type: object
                             mutateUnlabelled:
                               description: |-
                                 MutateUnlabelled enables config injection without the need of pod label 'admission.datadoghq.com/enabled="true"'.

diff --git a/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json b/config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json
@@ -430,6 +430,17 @@
                   "description": "FailurePolicy determines how unrecognized and timeout errors are handled.",
                   "type": "string"
                 },
+                "kubernetesAdmissionEvents": {
+                  "additionalProperties": false,
+                  "description": "KubernetesAdmissionEvents holds the Kubernetes Admission Events configuration.",
+                  "properties": {
+                    "enabled": {
+                      "description": "Enable the Kubernetes Admission Events feature.\nDefault: false",
+                      "type": "boolean"
+                    }
+                  },
+                  "type": "object"
+                },
                 "mutateUnlabelled": {
                   "description": "MutateUnlabelled enables config injection without the need of pod label 'admission.datadoghq.com/enabled=\"true\"'.\nDefault: false",
                   "type": "boolean"
@@ -7103,6 +7114,17 @@
                       "description": "FailurePolicy determines how unrecognized and timeout errors are handled.",
                       "type": "string"
                     },
+                    "kubernetesAdmissionEvents": {
+                      "additionalProperties": false,
+                      "description": "KubernetesAdmissionEvents holds the Kubernetes Admission Events configuration.",
+                      "properties": {
+                        "enabled": {
+                          "description": "Enable the Kubernetes Admission Events feature.\nDefault: false",
+                          "type": "boolean"
+                        }
+                      },
+                      "type": "object"
+                    },
                     "mutateUnlabelled": {
                       "description": "MutateUnlabelled enables config injection without the need of pod label 'admission.datadoghq.com/enabled=\"true\"'.\nDefault: false",
                       "type": "boolean"

diff --git a/docs/configuration.v2alpha1.md b/docs/configuration.v2alpha1.md
@@ -49,6 +49,7 @@ spec:
 | features.admissionController.cwsInstrumentation.mode | Defines the behavior of the CWS Instrumentation endpoint, and can be either "init_container" or "remote_copy". Default: "remote_copy" |
 | features.admissionController.enabled | Enables the Admission Controller. Default: true |
 | features.admissionController.failurePolicy | FailurePolicy determines how unrecognized and timeout errors are handled. |
+| features.admissionController.kubernetesAdmissionEvents.enabled | Enable the Kubernetes Admission Events feature. Default: false |
 | features.admissionController.mutateUnlabelled | MutateUnlabelled enables config injection without the need of pod label 'admission.datadoghq.com/enabled="true"'. Default: false |
 | features.admissionController.mutation.enabled | Enables the Admission Controller mutation webhook. Default: true |
 | features.admissionController.registry | Defines an image registry for the admission controller. |