Skip to content

[Backport v1.25] [ACTP] Add k8s remediation RBAC rules for private action runner#2780

Open
dd-octo-sts[bot] wants to merge 1 commit intov1.25from
backport-2770-to-v1.25
Open

[Backport v1.25] [ACTP] Add k8s remediation RBAC rules for private action runner#2780
dd-octo-sts[bot] wants to merge 1 commit intov1.25from
backport-2770-to-v1.25

Conversation

@dd-octo-sts
Copy link

@dd-octo-sts dd-octo-sts bot commented Mar 19, 2026

Backport 6a0f976 from #2770.

What does this PR do?

Extends the private action runner cluster agent RBAC with additional policy rules when k8s remediation is enabled via the annotation cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled: "true".

When the annotation is set, some PolicyRule entries are appended among which:

  • get/watch/patch/create on deployments, pods, configmaps, and events
  • update on configmaps

Motivation

K8s remediation actions require the cluster agent to interact with workload resources (deployments, pods) and to record events and manage configmaps. Without these RBAC rules the runner cannot execute remediation workflows.

Why only these permissions?
We conducted an experiment to find the maximum possible capabilities of the DCA SA today (if all features are enabled) and inferred this list for our immediate use cases.

Minimum Agent Versions

No minimum version requirement.

Describe your test plan

  • Unit tests
  • Deployed in a local cluster and checked the SA.
# Build the operator image
make IMG=test/operator:dev docker-build
# Install CRDs
make install
# Deploy the operator
make IMG=test/operator:dev deploy

kubectx docker-desktop

kubectl apply -k ./bin/manifests
kubectl get clusterrole datadog-private-action-runner -o yaml

@merchristK @claude @github-actions
[ACTP] Add k8s remediation RBAC rules for private action runner (#2770)
a21e39f 
* Add k8s remediation RBAC rules for private action runner

When the annotation `cluster-agent.datadoghq.com/private-action-runner-k8s-remediation-enabled`
is set to true, extend the cluster agent RBAC with additional policy rules
for deployments, pods, configmaps, and events needed for k8s remediation.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* create new clusterrole

* update rbac

* revert

* Add kubebuilder RBAC markers for PAR k8s remediation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* update comment

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
(cherry picked from commit 6a0f976)
@dd-octo-sts dd-octo-sts bot added enhancement New feature or request qa/skip-qa backport label added by backport action labels Mar 19, 2026
@dd-octo-sts dd-octo-sts bot requested a review from a team as a code owner March 19, 2026 10:40
@dd-octo-sts dd-octo-sts bot added the bot label added by backport bot label Mar 19, 2026
@dd-octo-sts dd-octo-sts bot requested review from a team as code owners March 19, 2026 10:40
@dd-octo-sts dd-octo-sts bot requested a review from embeaken March 19, 2026 10:40
@dd-octo-sts dd-octo-sts bot added this to the v1.25.0 milestone Mar 19, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a21e39fe37

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

internal/controller/datadogagent/feature/privateactionrunner/feature.go
Comment on lines +185 to +189
err := managers.RBACManager().AddClusterPolicyRulesByComponent(
f.owner.GetNamespace(),
f.getRbacResourcesName(),
f.clusterServiceAccountName,
getClusterAgentRBACPolicyRules(f.clusterConfig.IdentitySecretName),
clusterAgentPolicyRules,
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep self-enroll secret access namespaced

When private_action_runner.self_enroll is true, clusterAgentPolicyRules contains getClusterAgentRBACPolicyRules(...), which used to be installed with AddPolicyRules as a namespaced Role. Binding that same rule here via AddClusterPolicyRulesByComponent makes the Secret permission cluster-wide, so the cluster-agent service account can get/update/create any Secret with the same identity_secret_name in every namespace. In multi-tenant clusters, or when multiple DatadogAgent instances reuse the default secret name, this is a real privilege expansion unrelated to the new remediation access.

Useful? React with 👍 / 👎.

Copy link
Contributor

@gabedos gabedos Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 This does seem like a valid concern... the DCA now has permissions to update any secret with this name now instead of just the secret within it's own namespace... I think it would be nice to scope this back down to the limited permissions needed. Thoughts?

@codecov-commenter
Copy link

codecov-commenter commented Mar 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 20.00000% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.76%. Comparing base (bb829df) to head (a21e39f).

Files with missing lines Patch % Lines
...r/datadogagent/feature/privateactionrunner/rbac.go 0.00% 26 Missing ⚠️
...atadogagent/feature/privateactionrunner/feature.go 77.77% 1 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##            v1.25    #2780      +/-   ##
==========================================
- Coverage   38.79%   38.76%   -0.03%     
==========================================
  Files         309      309              
  Lines       26736    26769      +33     
==========================================
+ Hits        10373    10378       +5     
- Misses      15584    15611      +27     
- Partials      779      780       +1
Flag Coverage Δ
unittests 38.76% <20.00%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...nal/controller/datadogagent/feature/utils/utils.go 0.00% <ø> (ø)
internal/controller/datadogagent_controller.go 66.66% <ø> (ø)
...atadogagent/feature/privateactionrunner/feature.go 76.96% <77.77%> (-0.25%) ⬇️
...r/datadogagent/feature/privateactionrunner/rbac.go 25.71% <0.00%> (-74.29%) ⬇️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bb829df...a21e39f. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabedos gabedos gabedos left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@embeaken embeaken embeaken approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport label added by backport action bot label added by backport bot enhancement New feature or request qa/skip-qa

Projects

None yet

Milestone

v1.25.0

Development

Successfully merging this pull request may close these issues.

4 participants

@codecov-commenter @embeaken @gabedos @merchristK