[CONTP-1596]Improve GKE Autopilot support

[tbavelier]

What does this PR do?

Updates GKE Autopilot support for DatadogAgent reconciliation and the GKE WorkloadAllowlist synchronizer.

Commit breakdown:

• a32ab68

  • Bumps the default WorkloadAllowlist version to v1.0.3.
  • Adds the experimental.agent.datadoghq.com/autopilot-allowlist-version override.
  • Replaces Helm hook annotations on the AllowlistSynchronizer with operator ownership labels, including the DatadogAgent app.kubernetes.io/part-of value.
  • Applies the AllowlistSynchronizer with server-side apply so existing datadog-synchronizer objects are updated when the desired allowlist path or labels change.
  • Adds RBAC permission to patch allowlistsynchronizers.auto.gke.io for server-side apply.
  • Logs successful reconciled applies at verbose level to avoid reconcile spam while keeping errors surfaced.

• 1246fa3

  • Sets DD_KUBELET_USE_API_SERVER=true for Autopilot.
  • Enables fine-grained kubelet authorization by default on Autopilot.
  • Adds pods get/list RBAC when API-server pod discovery is required.

• b8ff129

  • Removes auth-token env and mounts that are not allowed on Autopilot.
  • Expands Autopilot mount cleanup across additional containers.
  • Keeps NPM/system-probe volumes and mounts that are covered by the WorkloadAllowlist.

• 7ae8486

  • Makes the seccomp security mount read-only and verifies it in Autopilot reconciler tests.

• 363ea70

  • Rewrites the log collection run-path hostPath to the Autopilot-approved log storage path.

• 7cf3137

  • Restricts cloud provider metadata collection to GCP on Autopilot.

Motivation

The existing Autopilot overrides were out of date with current GKE Autopilot allowlist behavior and left several generated pod specs with resources, mounts, or discovery settings that are not valid on Autopilot.

This also makes the WorkloadAllowlist version explicit and overrideable, so future allowlist bumps do not require changing the synchronizer logic.

Additional Notes

• The clean branch was rebuilt from main with the Autopilot work grouped into reviewable commits. Two unrelated unused helper functions from the original branch history were intentionally left out of controller_v2_test.go.
• This requires a new workloadlist, will link PR

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: N/A
• Cluster Agent: N/A

Describe your test plan

Verified on v1.35.3-gke.1737000

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7d80ce13ee

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov-commenter]

Codecov Report

❌ Patch coverage is 73.72881% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.23%. Comparing base (491d342) to head (7cf3137).

Files with missing lines	Patch %	Lines
.../controller/datadogagent/experimental/autopilot.go	68.83%	20 Missing and 4 partials ⚠️
pkg/allowlistsynchronizer/allowlistsynchronizer.go	82.14%	5 Missing ⚠️
internal/controller/datadogagent/common/volumes.go	0.00%	1 Missing ⚠️
...nal/controller/datadogagent/global/dependencies.go	75.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3013      +/-   ##
==========================================
+ Coverage   40.77%   41.23%   +0.46%     
==========================================
  Files         332      332              
  Lines       28204    28299      +95     
==========================================
+ Hits        11500    11669     +169     
+ Misses      15929    15843      -86     
- Partials      775      787      +12     

Flag	Coverage Δ
unittests	41.23% <73.72%> (+0.46%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...al/controller/datadogagent/component/agent/rbac.go	81.48% <100.00%> (+81.48%)	⬆️
internal/controller/datadogagent_controller.go	62.12% <ø> (ø)
internal/controller/datadogagent/common/volumes.go	0.00% <0.00%> (ø)
...nal/controller/datadogagent/global/dependencies.go	19.52% <75.00%> (+0.64%)	⬆️
pkg/allowlistsynchronizer/allowlistsynchronizer.go	70.96% <82.14%> (+70.96%)	⬆️
.../controller/datadogagent/experimental/autopilot.go	60.76% <68.83%> (+60.76%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 491d342...7cf3137. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.