[CONTINT-4924] Support for wildcards in Kind field in KSM RBAC (#2350)

* Support for wildcards in Kind field in KSM RBAC

* make generate - no need to add explicit verbs to apiservices

---------

Co-authored-by: Timothée Bavelier <[email protected]>
Co-authored-by: Timothée Bavelier <[email protected]>

Author: triviajon

internal/controller/datadogagent/feature/kubernetesstatecore/rbac.go

@@ -138,6 +138,12 @@ func getRBACPolicyRules(collectorOpts collectorOptions) []rbacv1.PolicyRule {
 	if len(collectorOpts.customResources) > 0 {
 		rbacBuilder := utils.NewRBACBuilder(commonVerbs...)
 		for _, cr := range collectorOpts.customResources {
+			// Don't pluralize if the kind is a wildcard
+			if cr.GroupVersionKind.Kind == "*" {
+				rbacBuilder.AddGroupKind(cr.GroupVersionKind.Group, "*")
+				continue
+			}
+
 			// Use the resource plural if specified, otherwise derive it from the Kind
 			resourceName := cr.ResourcePlural
 			if resourceName == "" {

internal/controller/datadogagent/feature/kubernetesstatecore/rbac_test.go

@@ -279,6 +279,31 @@ func TestGetRBACPolicyRules(t *testing.T) {
 				assert.True(t, hasArgo, "Should have Argo Application permissions")
 			},
 		},
+		{
+			name: "with wildcard kind",
+			collectorOpts: collectorOptions{
+				customResources: []v2alpha1.Resource{
+					{
+						GroupVersionKind: v2alpha1.GroupVersionKind{
+							Group:   "stable.example.com",
+							Version: "v1",
+							Kind:    "*",
+						},
+					},
+				},
+			},
+			validateFunc: func(t *testing.T, rules []rbacv1.PolicyRule) {
+				hasStable := false
+				for _, rule := range rules {
+					if slices.Contains(rule.APIGroups, "stable.example.com") {
+						hasStable = true
+						assert.Contains(t, rule.Resources, "*")
+						break
+					}
+				}
+				assert.True(t, hasStable, "Should have stable.example.com permissions")
+			},
+		},
 	}
 
 	for _, tc := range testCases {