Operator-generated ClusterRole restricts MutatingWebhookConfiguration RBAC to hardcoded resourceNames: [datadog-webhook]

[Leundai]

Description

When the Datadog operator reconciles a DatadogAgent CR, it generates a ClusterRole for the cluster-agent that includes mutatingwebhookconfigurations permissions scoped to resourceNames: [datadog-webhook]:

- apiGroups: [admissionregistration.k8s.io]
  resourceNames: [datadog-webhook]
  resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
  verbs: [get, list, watch, update, delete]

When spec.features.admissionController.webhookName is set to a custom value (e.g. my-custom-webhook), the operator creates a MutatingWebhookConfiguration with that custom name — but the ClusterRole still restricts access to datadog-webhook. This means the cluster-agent cannot manage its own webhook.

Impact

1. Self-healing is broken with custom webhook names — if the MWC is modified or deleted externally, the cluster-agent cannot recreate or update it because the RBAC doesn't permit access to the custom-named resource.

2. Multi-instance clusters — when multiple DatadogAgent CRs exist in different namespaces (e.g. separate teams or tenants sharing a cluster), each instance should manage its own uniquely-named webhook. The current RBAC prevents this since all instances can only access datadog-webhook.

Expected Behavior

The operator-generated ClusterRole should scope mutatingwebhookconfigurations permissions to the actual webhookName configured in the DatadogAgent CR, not the hardcoded default. If spec.features.admissionController.webhookName is set to my-custom-webhook, the ClusterRole should use resourceNames: [my-custom-webhook].

Steps to Reproduce

1. Deploy a DatadogAgent CR with spec.features.admissionController.webhookName: my-custom-webhook
2. Inspect the operator-generated ClusterRole for the cluster-agent
3. Observe that resourceNames is still [datadog-webhook] instead of [my-custom-webhook]
4. The cluster-agent logs will show RBAC errors when trying to update the custom-named MWC

Environment

• Operator version: 1.14.0
• Kubernetes: 1.29+

[khewonc]

Hi @Leundai, I've tried using a custom webhook name with operator 1.14.0, but am seeing the correct custom name in the cluster agent clusterrole as expected:

- apiGroups:
  - admissionregistration.k8s.io
  resourceNames:
  - my-custom-webhook
  resources:
  - validatingwebhookconfigurations
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch
  - update
  - delete

Here are the admission controller settings I'm using:

    admissionController:
      webhookName: my-custom-webhook

Can you double check you haven't disabled the default rbac?