---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
  labels:
    app: "datadog"
    chart: "datadog-3.49.6"
    heritage: "Helm"
    release: "datadog"
  name: datadog-cluster-agent
  namespace: default
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: ClusterRole
metadata:
  labels: {}
  name: datadog-cluster-agent
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - pods
      - nodes
      - namespaces
      - componentstatuses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - get
      - list
      - watch
      - create
  - apiGroups: ["quota.openshift.io"]
    resources:
      - clusterresourcequotas
    verbs:
      - get
      - list
  - apiGroups:
      - "autoscaling"
    resources:
      - horizontalpodautoscalers
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - datadogtoken # Kubernetes event collection state
      - datadogtoken # Kept for backward compatibility with agent <7.37.0
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - datadog-leader-election # Leader election token
      - datadog-leader-election # Kept for backward compatibility with agent <7.37.0
      - datadog-custom-metrics
    verbs:
      - get
      - update
  - apiGroups:
      - "coordination.k8s.io"
    resources:
      - leases
    resourceNames:
      - datadog-leader-election # Leader election token
    verbs:
      - get
      - update
  - apiGroups:
      - "coordination.k8s.io"
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - extension-apiserver-authentication
    verbs:
      - get
      - list
      - watch
  - apiGroups: # To create the leader election token and hpa events
      - ""
    resources:
      - configmaps
      - events
    verbs:
      - create
  - nonResourceURLs:
      - "/version"
      - "/healthz"
    verbs:
      - get
  - apiGroups: # to get the kube-system namespace UID and generate a cluster ID
      - ""
    resources:
      - namespaces
    resourceNames:
      - "kube-system"
    verbs:
      - get
  - apiGroups: # To create the cluster-id configmap
      - ""
    resources:
      - configmaps
    resourceNames:
      - "datadog-cluster-id"
    verbs:
      - create
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - persistentvolumes
      - persistentvolumeclaims
      - serviceaccounts
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - "batch"
    resources:
      - cronjobs
      - jobs
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - autoscaling.k8s.io
    resources:
      - verticalpodautoscalers
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
    resourceNames:
      - "datadog-webhook"
    verbs: ["get", "list", "watch", "update"]
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
    verbs: ["create"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["get"]
  - apiGroups: ["apps"]
    resources: ["statefulsets", "replicasets", "deployments", "daemonsets"]
    verbs: ["get"]
  - apiGroups:
      - "security.openshift.io"
    resources:
      - securitycontextconstraints
    verbs:
      - use
    resourceNames:
      - datadog-cluster-agent
      - hostnetwork
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: ClusterRoleBinding
metadata:
  labels: {}
  name: datadog-cluster-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: datadog-cluster-agent
subjects:
  - kind: ServiceAccount
    name: datadog-cluster-agent
    namespace: default
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: ClusterRoleBinding
metadata:
  labels:
    app: "datadog"
    chart: "datadog-3.49.6"
    release: "datadog"
    heritage: "Helm"
  name: datadog-cluster-agent-system-auth-delegator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: datadog-cluster-agent
    namespace: default
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: Role
metadata:
  labels: {}
  name: datadog-cluster-agent-main
  namespace: default
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "watch", "update", "create"]
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: RoleBinding
metadata:
  labels: {}
  name: "datadog-cluster-agent-main"
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: datadog-cluster-agent-main
subjects:
  - kind: ServiceAccount
    name: datadog-cluster-agent
    namespace: default
---
# This file has been generated by `helm template datadog-agent datadog/datadog` from datadog/templates/cluster-agent-rbac.yaml. Please re-run `generate.sh` rather than modifying this file manually.
apiVersion: "rbac.authorization.k8s.io/v1"
kind: RoleBinding
metadata:
  labels: {}
  name: "datadog-cluster-agent-apiserver"
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - kind: ServiceAccount
    name: datadog-cluster-agent
    namespace: default