[ACTP] Fix PAR self_enroll Secret RBAC promoted to cluster-wide scope#2781
[ACTP] Fix PAR self_enroll Secret RBAC promoted to cluster-wide scope#2781merchristK wants to merge 3 commits intomainfrom
Conversation
When k8s remediation was added in #2770, the self_enroll identity-secret rules were merged into the same AddClusterPolicyRulesByComponent call as the remediation rules. This silently promoted the Secret get/update/create permission from a namespaced Role to a ClusterRole, letting the cluster agent ServiceAccount access any Secret matching the identity secret name in every namespace. Restore the self_enroll rules to AddPolicyRulesByComponent (namespaced Role) and keep only the k8s remediation rules in AddClusterPolicyRulesByComponent, which legitimately requires cluster-wide workload access. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2781 +/- ##
==========================================
- Coverage 38.78% 38.76% -0.02%
==========================================
Files 309 309
Lines 26839 26844 +5
==========================================
- Hits 10409 10406 -3
- Misses 15650 15658 +8
Partials 780 780
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
This stack of pull requests is managed by Graphite. Learn more about stacking. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4c45086c32
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
internal/controller/datadogagent/feature/privateactionrunner/feature.go
Outdated
Show resolved
Hide resolved
internal/controller/datadogagent/feature/privateactionrunner/feature.go
Outdated
Show resolved
Hide resolved
| if len(clusterAgentPolicyRules) > 0 { | ||
| err := managers.RBACManager().AddClusterPolicyRulesByComponent( | ||
| // This creates a ClusterRole with cluster-wide access to workload resources for k8s remediation. | ||
| err := managers.RBACManager().AddClusterPolicyRules( |
There was a problem hiding this comment.
what is the difference between AddClusterPolicyRulesByComponent and AddClusterPolicyRules ?
There was a problem hiding this comment.
First one add a ClusterRole (not namespaced) and second one adds a Role (which is namespaced)
4 participants
What does this PR do?
Restores the
self_enrollidentity-secret RBAC rules for the Private Action Runner to a namespaced Role, undoing an unintended privilege escalation introduced in #2770.Motivation
See https://github.com/DataDog/datadog-operator/pull/2780/changes#r2959203865
Minimum Agent Versions
N/A — operator-only change.
Describe your test plan