From a4c9779a2e460fca6c019c4073471c8be64cd7b5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 07:02:45 +0000 Subject: [PATCH] Sync chart from nirmata/go-service-agent --- charts/nirmata-agent/templates/rbac.yaml | 138 ++++++++++++++++++++--- 1 file changed, 124 insertions(+), 14 deletions(-) diff --git a/charts/nirmata-agent/templates/rbac.yaml b/charts/nirmata-agent/templates/rbac.yaml index 72628004..f6d5e933 100644 --- a/charts/nirmata-agent/templates/rbac.yaml +++ b/charts/nirmata-agent/templates/rbac.yaml @@ -1,6 +1,3 @@ -# TODO: Already pruned many of the unnecessary permissions, -# but still need to check if we need to remove any more permissions - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10,6 +7,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} rules: +# Service Agent CRDs - full access for controller operations - apiGroups: - serviceagents.nirmata.io resources: @@ -32,6 +30,8 @@ rules: - patch - update - watch + +# ArgoCD applications - for ArgoHub mode - apiGroups: - argoproj.io resources: @@ -40,31 +40,30 @@ rules: - get - list - watch + +# Kyverno policies - apiGroups: - - "" + - kyverno.io resources: - - secrets + - policies + - clusterpolicies verbs: - get - list - watch + +# Policy reports (Kyverno, Policy Working Group) - apiGroups: - wgpolicyk8s.io resources: - policyreports + - clusterpolicyreports verbs: - get - list - watch -- apiGroups: - - kyverno.io - resources: - - policies - - clusterpolicies - verbs: - - get - - list - - watch + +# Leader election - apiGroups: - coordination.k8s.io resources: @@ -77,6 +76,8 @@ rules: - update - patch - delete + +# Controller events - apiGroups: - "" resources: @@ -84,10 +85,119 @@ rules: verbs: - create - patch + - get + - list + - watch + +# ============================================================================= +# Kubernetes tools permissions (pkg/agent/tools/k8s/) +# These permissions are required for the Agent CRD's built-in k8s tools: +# k8s_get_resources, k8s_describe, k8s_events, k8s_pod_logs +# ============================================================================= + +# Core v1 resources - apiGroups: - "" resources: + - pods + - pods/log + - services - configmaps + - secrets + - persistentvolumeclaims + - persistentvolumes + - nodes + - namespaces + - serviceaccounts + - endpoints + verbs: + - get + - list + - watch + +# Apps v1 resources +- apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: + - get + - list + - watch + +# Batch resources +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + +# Networking resources +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch + +# RBAC resources (read-only for inspection) +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + +# Storage resources +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + +# Policy resources +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + +# Autoscaling resources +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + +# Custom Resource Definitions (read-only for discovery) +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions verbs: - get - list