Remove RBAC grants when App & API Protection is not enabled

Author: drcapulet

charts/datadog/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 3.156.4
+
+* Remove RBAC grants when App & API Protection is not enabled.
+
 ## 3.156.3
 
 * Fix mounts of `/host/run/systemd` and pod-resources socket in system-probe container when GPU monitoring.

charts/datadog/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: datadog
-version: 3.156.3
+version: 3.156.4
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.156.3](https://img.shields.io/badge/Version-3.156.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.156.4](https://img.shields.io/badge/Version-3.156.4-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 

charts/datadog/templates/cluster-agent-rbac.yaml

@@ -368,6 +368,7 @@ rules:
   - get
 {{- include "orchestratorExplorer-config-crs" . }}
 {{- end }}
+{{- if .Values.datadog.appsec.injector.enabled }}
 # Used by datadog.appsec.injector feature
 - apiGroups:
     - "gateway.networking.k8s.io"
@@ -404,6 +405,7 @@ rules:
     - get
     - create
     - delete
+{{- end }}
 ---
 apiVersion: {{ template "rbac.apiVersion" . }}
 kind: ClusterRoleBinding

test/datadog/baseline/manifests/adp_enabled.yaml

@@ -401,41 +401,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/agent-clusterchecks-deployment_default.yaml

@@ -418,41 +418,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/agent-workload_exclude.yaml

@@ -401,41 +401,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default.yaml

@@ -414,41 +414,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default_advanced_AC_injection.yaml

@@ -414,41 +414,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

test/datadog/baseline/manifests/cluster-agent-deployment_default_minimal_AC_injection.yaml

@@ -414,41 +414,6 @@ rules:
       - list
       - watch
       - get
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-      - patch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - referencegrants
-    verbs:
-      - get
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - gateway.envoyproxy.io
-    resources:
-      - envoyextensionpolicies
-    verbs:
-      - get
-      - delete
-      - create
-  - apiGroups:
-      - networking.istio.io
-    resources:
-      - envoyfilters
-    verbs:
-      - get
-      - create
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole