Add RBAC for Gateway API, service mesh, and ingress controller CRDs#2874
Open
eliottness wants to merge 4 commits intomainfrom
Open
Add RBAC for Gateway API, service mesh, and ingress controller CRDs#2874eliottness wants to merge 4 commits intomainfrom
eliottness wants to merge 4 commits intomainfrom
Conversation
Add opt-in `networkCRDs.enabled` boolean to OrchestratorExplorerFeatureConfig that grants list/watch RBAC for 15 API groups used by Gateway API, service mesh (Istio, Envoy Gateway, Traefik Legacy, Linkerd, Consul, Kuma), and ingress controllers (NGINX, Traefik, Kong, HAProxy). Uses resource-specific rules for high-volume vendors (Gateway API, Istio, NGINX, Traefik) and group-level wildcards for the long tail. Also replaces inline string literals in appsec RBAC with shared constants.
The gci formatter requires a blank line between the Traefik resources block and the general resources block, and re-aligns the equals signs to match the new block's column width.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2874 +/- ##
==========================================
+ Coverage 39.45% 40.03% +0.58%
==========================================
Files 315 319 +4
Lines 27482 28640 +1158
==========================================
+ Hits 10842 11465 +623
- Misses 15836 16339 +503
- Partials 804 836 +32
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 13 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
gh-worker-dd-mergequeue-cf854d bot
pushed a commit
to DataDog/datadog-agent
that referenced
this pull request
Apr 9, 2026
…mesh, and ingress controllers (#48966) ### What does this PR do? Adds 22 new builtin CRD entries to the orchestrator explorer so Cloud Security can determine internet-reachability paths for k8s workloads. Uses a hybrid collection strategy: resource-specific entries for high-volume vendors (Istio, NGINX, Traefik) and group-level entries for less common vendors. Three new per-family config flags (all **opt-in, default: false**): - `orchestrator_explorer.custom_resources.ootb.gateway_api` - `orchestrator_explorer.custom_resources.ootb.service_mesh` - `orchestrator_explorer.custom_resources.ootb.ingress_controllers` **New families:** - **Gateway API** (5 resource-specific): gateways, httproutes, grpcroutes, tlsroutes, listenersets - **Service mesh — Istio** (5 resource-specific): virtualservices, gateways, destinationrules, serviceentries, sidecars (with v1beta1 fallback) - **Service mesh — others** (6 group-level): Envoy Gateway, Traefik (legacy), Linkerd, Consul, Consul Mesh, Kuma - **Ingress controllers — NGINX** (2 resource-specific): virtualservers, virtualserverroutes - **Ingress controllers — Traefik** (1 resource-specific): ingressroutes - **Ingress controllers — others** (3 group-level): Kong, HAProxy Core, HAProxy v1 ### Motivation Cloud Security needs to tell customers which container workloads are internet-reachable. Today, the agent collects standard Ingress and Service objects, covering ~16% of EKS customers. Over 36% use service meshes or non-standard ingress controllers whose exposure paths go through CRDs we don't collect. RFC: https://datadoghq.atlassian.net/wiki/x/4IOyfAE Technical implementation: https://datadoghq.atlassian.net/wiki/x/EgO6fAE ### Describe how you validated your changes - All existing tests pass: `TestNewBuiltinCRDConfigs`, `TestImportBuiltinCollectors`, `TestGetDatadogCustomResourceCollectors`, `TestFilterCRCollectorsByPermission` - New test `TestNewBuiltinCRDConfigsPerFamilyFlags` verifies each per-family flag independently disables its family, and the global OOTB flag disables everything - Package compiles cleanly with `go build -tags "kubeapiserver orchestrator"` ### Additional Notes **All three flags default to `false` (opt-in).** Collection is only activated when RBAC is granted (via helm/operator) and the corresponding flag is set to `true`. **Merge order:** The backend allowlist PR (dd-go) must be deployed before this PR merges, otherwise collected CRs will be silently dropped. - [ ] Backend allowlist deployed: DataDog/dd-go#230589 - [ ] Helm chart RBAC merged: DataDog/helm-charts#2541 - [ ] Operator RBAC merged: DataDog/datadog-operator#2874 ## Related PRs | Repo | PR | Purpose | |------|----|---------| | DataDog/dd-go | DataDog/dd-go#230589 | Backend allowlist (deploy FIRST) | | DataDog/helm-charts | DataDog/helm-charts#2541 | Helm chart RBAC | | DataDog/datadog-operator | DataDog/datadog-operator#2874 | Operator RBAC | Co-authored-by: eliott.bouhana <eliott.bouhana@datadoghq.com>
…agent
When networkCRDs.enabled=true, set all three per-family agent config flags
on the cluster-agent pod so collection is activated alongside the RBAC:
DD_ORCHESTRATOR_EXPLORER_CUSTOM_RESOURCES_OOTB_GATEWAY_API=true
DD_ORCHESTRATOR_EXPLORER_CUSTOM_RESOURCES_OOTB_SERVICE_MESH=true
DD_ORCHESTRATOR_EXPLORER_CUSTOM_RESOURCES_OOTB_INGRESS_CONTROLLERS=true
These map to orchestrator_explorer.custom_resources.ootb.{gateway_api,
service_mesh,ingress_controllers} in the agent config (DataDog/datadog-agent#48966).
janine-c
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds list/watch RBAC permissions for 14 new API groups to the cluster agent ClusterRole, enabling OOTB collection of network topology CRDs for Cloud Security internet-reachability analysis.
Gated behind
features.orchestratorExplorer.networkCRDs.enabled(default:false, opt-in).New API groups:
gateway.networking.k8s.io(resource-specific)networking.istio.io(resource-specific),gateway.envoyproxy.io,traefik.containo.us,policy.linkerd.io,consul.hashicorp.com,mesh.consul.hashicorp.com,kuma.iok8s.nginx.org,traefik.io(resource-specific),configuration.konghq.com,core.haproxy.org,ingress.v1.haproxy.orgMotivation
The Datadog Agent is adding OOTB collection of these CRDs for Cloud Security internet-reachability analysis. The operator needs to grant the cluster agent RBAC permissions to list/watch these resources.
RFC: https://datadoghq.atlassian.net/wiki/x/4IOyfAE
Describe how you validated your changes
NetworkCRDsConfigtype added to the DatadogAgent v2alpha1 APIpkg/kubernetes/rbac/const.goAdditional Notes
This PR should be merged before the corresponding agent PR. Collection is opt-in — both the operator flag and the agent-side flags must be enabled.
Related PRs