[datadog] Add RBAC for network topology CRD collection#2541
Draft
eliottness wants to merge 3 commits intomainfrom
Draft
[datadog] Add RBAC for network topology CRD collection#2541eliottness wants to merge 3 commits intomainfrom
eliottness wants to merge 3 commits intomainfrom
Conversation
github-actions
bot
added
the
chart/datadog
…ler CRDs Add list/watch RBAC rules for 15 new API groups needed by the orchestrator explorer to collect network topology CRDs for internet-reachability analysis. Gated behind datadog.orchestratorExplorer.networkCRDs.enabled (default: true). API groups: gateway.networking.k8s.io, networking.istio.io, gateway.envoyproxy.io, traefik.containo.us, traefik.io, policy.linkerd.io, consul.hashicorp.com, mesh.consul.hashicorp.com, kuma.io, k8s.nginx.org, configuration.konghq.com, core.haproxy.org, ingress.v1.haproxy.org, ingress.v3.haproxy.org
eliottness
force-pushed
the
eliottness/ootb-crd-gateway-mesh-ingress
branch
from
e0273ea to
8ea94a3
Compare
gh-worker-dd-mergequeue-cf854d bot
pushed a commit
to DataDog/datadog-agent
that referenced
this pull request
Apr 9, 2026
…mesh, and ingress controllers (#48966) ### What does this PR do? Adds 22 new builtin CRD entries to the orchestrator explorer so Cloud Security can determine internet-reachability paths for k8s workloads. Uses a hybrid collection strategy: resource-specific entries for high-volume vendors (Istio, NGINX, Traefik) and group-level entries for less common vendors. Three new per-family config flags (all **opt-in, default: false**): - `orchestrator_explorer.custom_resources.ootb.gateway_api` - `orchestrator_explorer.custom_resources.ootb.service_mesh` - `orchestrator_explorer.custom_resources.ootb.ingress_controllers` **New families:** - **Gateway API** (5 resource-specific): gateways, httproutes, grpcroutes, tlsroutes, listenersets - **Service mesh — Istio** (5 resource-specific): virtualservices, gateways, destinationrules, serviceentries, sidecars (with v1beta1 fallback) - **Service mesh — others** (6 group-level): Envoy Gateway, Traefik (legacy), Linkerd, Consul, Consul Mesh, Kuma - **Ingress controllers — NGINX** (2 resource-specific): virtualservers, virtualserverroutes - **Ingress controllers — Traefik** (1 resource-specific): ingressroutes - **Ingress controllers — others** (3 group-level): Kong, HAProxy Core, HAProxy v1 ### Motivation Cloud Security needs to tell customers which container workloads are internet-reachable. Today, the agent collects standard Ingress and Service objects, covering ~16% of EKS customers. Over 36% use service meshes or non-standard ingress controllers whose exposure paths go through CRDs we don't collect. RFC: https://datadoghq.atlassian.net/wiki/x/4IOyfAE Technical implementation: https://datadoghq.atlassian.net/wiki/x/EgO6fAE ### Describe how you validated your changes - All existing tests pass: `TestNewBuiltinCRDConfigs`, `TestImportBuiltinCollectors`, `TestGetDatadogCustomResourceCollectors`, `TestFilterCRCollectorsByPermission` - New test `TestNewBuiltinCRDConfigsPerFamilyFlags` verifies each per-family flag independently disables its family, and the global OOTB flag disables everything - Package compiles cleanly with `go build -tags "kubeapiserver orchestrator"` ### Additional Notes **All three flags default to `false` (opt-in).** Collection is only activated when RBAC is granted (via helm/operator) and the corresponding flag is set to `true`. **Merge order:** The backend allowlist PR (dd-go) must be deployed before this PR merges, otherwise collected CRs will be silently dropped. - [ ] Backend allowlist deployed: DataDog/dd-go#230589 - [ ] Helm chart RBAC merged: DataDog/helm-charts#2541 - [ ] Operator RBAC merged: DataDog/datadog-operator#2874 ## Related PRs | Repo | PR | Purpose | |------|----|---------| | DataDog/dd-go | DataDog/dd-go#230589 | Backend allowlist (deploy FIRST) | | DataDog/helm-charts | DataDog/helm-charts#2541 | Helm chart RBAC | | DataDog/datadog-operator | DataDog/datadog-operator#2874 | Operator RBAC | Co-authored-by: eliott.bouhana <eliott.bouhana@datadoghq.com>
- Add missing get verb to group-level RBAC rules (Envoy Gateway, Linkerd, Consul, Kuma, Kong, HAProxy) - Add DD_ORCHESTRATOR_EXPLORER_CUSTOM_RESOURCES_OOTB_* env vars to the cluster agent deployment, gated by networkCRDs.enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds list/watch RBAC permissions for 14 new API groups to the cluster agent ClusterRole, enabling OOTB collection of network topology CRDs for Cloud Security internet-reachability analysis.
Gated behind
datadog.orchestratorExplorer.networkCRDs.enabled(default:false, opt-in).New API groups:
gateway.networking.k8s.io(resource-specific)networking.istio.io(resource-specific),gateway.envoyproxy.io,traefik.containo.us,policy.linkerd.io,consul.hashicorp.com,mesh.consul.hashicorp.com,kuma.iok8s.nginx.org,traefik.io(resource-specific),configuration.konghq.com,core.haproxy.org,ingress.v1.haproxy.org,ingress.v3.haproxy.orgMotivation
The Datadog Agent is adding OOTB collection of these CRDs for Cloud Security internet-reachability analysis. The cluster agent needs RBAC permissions to list/watch these resources.
RFC: https://datadoghq.atlassian.net/wiki/x/4IOyfAE
Describe how you validated your changes
"*"resources) for less common vendorsAdditional Notes
This PR should be merged before the corresponding agent PR. Collection is opt-in — both the Helm value and the agent-side flags must be enabled.
Related PRs