-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict cluster role of the amazon cloudwatch agent controller manager #83
Conversation
charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml
Outdated
Show resolved
Hide resolved
Change made to the operator repo to ensure integ tests pass: aws/amazon-cloudwatch-agent-operator#204 |
verbs: [ "create","get","list", "watch" ] | ||
- apiGroups: [ "" ] | ||
resources: [ "configmaps" ] | ||
resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "cwagent-clusterleader", "dcgm-exporter-config-map", "fluent-bit-config", "fluent-bit-windows-config", "neuron-monitor-config-map", "kube-root-ca.crt"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restricting these by names is going to be tricky.
Customers installing their own AmazonCloudWatchAgent CR can set the name
to be anything and the resources would get named accordingly per the regexes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, curious, why do we need the kube-root-ca.crt
in this list?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I was hoping there would be a way to do this by namespace, but it doesn't seem like thats possible. What if we pull the actual names from the values.yaml?
kube-root-ca.crt
was found in the amazon-cloudwatch
namespace, so I assume the operator should have domain over anything we create via helm/operator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we pull the actual names from the values.yaml?
In the scenario of customers installing their own CRs, it wouldnt come from the values. But perhaps thats just setting an expectation that they have to modify the RBAC accordingly when they do such customizations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kube-root-ca.crt was found in the amazon-cloudwatch namespace, so I assume the operator should have domain over anything we create via helm/operator
Interesting. Is it actually created/modified by our service account though?
charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml
Show resolved
Hide resolved
Perhaps a better way would be to expose a The default Users that would like to install custom CRs and/or are comfortable allowing the Operator to run with additional permissions could override to use the |
Yeah I think we will want something namespaced to |
Yes, this should be doable and what we would need with the |
Issue #, if available:
Related: #77
Description of changes:
Testing:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.