[CONTP-1656] Add datadog instrumentation crd rbac perms

[Mathew-Estafanous]

What does this PR do?

Gives the cluster agent necessary RBAC permissions to get/list/watch the DatadogInstrumentation CRD and update/patch the status section of the CRD.

Motivation

Follow up #2962

Describe your test plan

• Added RBAC unit tests

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.58%. Comparing base (d1d2b65) to head (fe7ad01).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2975      +/-   ##
==========================================
+ Coverage   41.39%   41.58%   +0.18%     
==========================================
  Files         331      331              
  Lines       28911    28926      +15     
==========================================
+ Hits        11969    12029      +60     
+ Misses      16086    16041      -45     
  Partials      856      856              

Flag	Coverage Δ
unittests	41.58% <100.00%> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...roller/datadogagent/component/clusteragent/rbac.go	65.41% <100.00%> (+42.53%)	⬆️
internal/controller/datadogagent_controller.go	58.64% <ø> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d1d2b65...fe7ad01. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94c51f1bd6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Remove write verbs from datadoginstrumentations parent resource

This rule grants patch/update on datadoginstrumentations itself, which allows the Cluster Agent to modify spec/metadata of any DatadogInstrumentation object cluster-wide; for status reconciliation, Kubernetes only needs write access on the datadoginstrumentations/status subresource. In environments where the Cluster Agent should be read-only for instrumentation definitions, this is an unnecessary privilege escalation and should be limited to get/list/watch on the parent resource.

Useful? React with 👍 / 👎.

[Mathew-Estafanous]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-06 12:55:25 UTC ℹ️ Start processing command /merge

---

2026-05-06 12:55:31 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 2h (p90).

---

2026-05-06 14:28:42 UTC ℹ️ MergeQueue: This merge request was already merged

This pull request was merged directly.