From c2ffbd650e8de02f4db789fc374c48f9475c244e Mon Sep 17 00:00:00 2001
From: Celene <celene@datadoghq.com>
Date: Fri, 10 Jan 2025 09:27:01 -0500
Subject: [PATCH] make small adjustments to clusterrole

---
 config/rbac/role.yaml                         | 33 +++++++++----------
 .../controller/datadogagent_controller.go     | 28 ++++++++--------
 2 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 1187eb280..74f2d6a74 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -14,7 +14,12 @@ rules:
   resources:
   - componentstatuses
   - deployments
+  - limitranges
   - namespaces
+  - persistentvolumeclaims
+  - persistentvolumes
+  - replicationcontrollers
+  - resourcequotas
   verbs:
   - get
   - list
@@ -37,17 +42,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - limitranges
-  - persistentvolumeclaims
-  - persistentvolumes
-  - replicationcontrollers
-  - resourcequotas
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -66,6 +60,12 @@ rules:
   - nodes/stats
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
 - apiGroups:
   - '*'
   resources:
@@ -142,12 +142,8 @@ rules:
   verbs:
   - create
   - get
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - pods/exec
-  verbs:
-  - create
+  - list
+  - watch
 - apiGroups:
   - authorization.k8s.io
   resources:
@@ -200,6 +196,7 @@ rules:
   resources:
   - certificatesigningrequests
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
@@ -273,6 +270,7 @@ rules:
   verbs:
   - create
   - delete
+  - get
   - list
   - watch
 - apiGroups:
@@ -356,5 +354,6 @@ rules:
   - storageclasses
   - volumeattachments
   verbs:
+  - get
   - list
   - watch
diff --git a/internal/controller/datadogagent_controller.go b/internal/controller/datadogagent_controller.go
index 031ff6c30..9b8f89c13 100644
--- a/internal/controller/datadogagent_controller.go
+++ b/internal/controller/datadogagent_controller.go
@@ -66,7 +66,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=authorization.k8s.io,resources=pods/exec,verbs=create
+// +kubebuilder:rbac:groups="",resources=pods/exec,verbs=create
 
 // Configure Admission Controller
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations;mutatingwebhookconfigurations,verbs=*
@@ -74,8 +74,8 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get
-// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create;get
-// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create;get
+// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=get;create;list;watch
+// +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get
 
@@ -83,7 +83,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=*
 // +kubebuilder:rbac:groups=datadoghq.com,resources=watermarkpodautoscalers,verbs=get;list;watch
 // +kubebuilder:rbac:groups=external.metrics.k8s.io,resources=*,verbs=get;list;watch
-// +kubebuilder:rbac:groups=datadoghq.com,resources=datadogmetrics,verbs=list;watch;create;delete
+// +kubebuilder:rbac:groups=datadoghq.com,resources=datadogmetrics,verbs=get;list;watch;create;delete
 // +kubebuilder:rbac:groups=datadoghq.com,resources=datadogmetrics/status,verbs=update
 
 // Configure Autoscaling product
@@ -129,15 +129,15 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=deployments,verbs=get;list;watch
-// +kubebuilder:rbac:groups="",resources=limitranges,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=limitranges,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch
-// +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=persistentvolumes,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=persistentvolumes,verbs=get;list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=list;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=list;watch
@@ -149,13 +149,13 @@ type DatadogAgentReconciler struct {
 // Kubernetes_state_core
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;watch
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=limitranges,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=limitranges,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=list;watch
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=persistentvolumes,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=persistentvolumes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=resourcequotas,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=resourcequotas,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=list;watch
 // +kubebuilder:rbac:groups="",resources=services,verbs=list;watch
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=list;watch
@@ -163,14 +163,14 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=list;watch
 // +kubebuilder:rbac:groups=apps,resources=replicationcontrollers,verbs=list;watch
 // +kubebuilder:rbac:groups=apps;extensions,resources=daemonsets;deployments;replicasets,verbs=list;watch
-// +kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=list;watch
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=list;watch
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=list;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=list;watch
-// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=list;watch
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get;list;watch
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=list;watch
-// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses;volumeattachments,verbs=list;watch
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses;volumeattachments,verbs=get;list;watch
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=list;watch
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list;watch
 // +kubebuilder:rbac:groups=extensions,resources=customresourcedefinitions,verbs=list;watch