fix: remove unnecessary nodes/proxy RBAC permissions#1754
Merged
AndrewChubatiuk merged 2 commits intomasterfrom Jan 27, 2026
Merged
fix: remove unnecessary nodes/proxy RBAC permissions#1754AndrewChubatiuk merged 2 commits intomasterfrom
AndrewChubatiuk merged 2 commits intomasterfrom
Conversation
The `nodes/proxy` permission is not required for the VMAgent controller's operation and may be used to raise privileges.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 4 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="docs/CHANGELOG.md">
<violation number="1" location="docs/CHANGELOG.md:18">
P1: Rule violated: **Changelog Review Agent**
Changelog entry violates the required structure: it describes an internal RBAC permission removal without a before/after, user-visible impact explanation. The changelog rules require user-centric before/after context and observable improvement; internal cleanups alone must be rejected.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Signed-off-by: Vadim Rutkovsky <roignac@gmail.com>
AndrewChubatiuk
approved these changes
Jan 27, 2026
f41gh7
pushed a commit
to VictoriaMetrics/VictoriaMetrics
that referenced
this pull request
Jan 29, 2026
…removed Updated helm-charts and operators no longer come with nodes/proxy permissions for vmagent/vmsingle roles. In the examples using kubelet's proxy endpoint we should explicitly create ClusterRoles / ClusterRoleBinding to grant access. See VictoriaMetrics/operator#1754 and VictoriaMetrics/helm-charts#2676 Ref: VictoriaMetrics/operator#1753
f41gh7
pushed a commit
to VictoriaMetrics/VictoriaMetrics
that referenced
this pull request
Jan 29, 2026
…removed Updated helm-charts and operators no longer come with nodes/proxy permissions for vmagent/vmsingle roles. In the examples using kubelet's proxy endpoint we should explicitly create ClusterRoles / ClusterRoleBinding to grant access. See VictoriaMetrics/operator#1754 and VictoriaMetrics/helm-charts#2676 Ref: VictoriaMetrics/operator#1753
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
nodes/proxypermission is not required for the VMAgent controller's operation and may be used to raise privileges.Fixes #1753
Summary by cubic
Removed the unnecessary nodes/proxy RBAC permission from the VMAgent controller and ClusterRole to reduce privileges and prevent potential escalation. Updated RBAC annotations and the changelog to match; fixes #1753.
Written for commit 016d776. Summary will update on new commits.