-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update kube-enforcer helm chart docs #121
Update kube-enforcer helm chart docs #121
Conversation
This changes are suggested as enhancements to docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsolicited review, but given I've made 15+ PRs to this repo, thought I'd leave some comments here since I happened to stumble upon this
@@ -2,7 +2,7 @@ | |||
imageCredentials: | |||
# If aqua-registry already exists in the cluster. Make create to false. So it won't attempt to create a new registry secret. | |||
create: true | |||
name: csp-registry-secret # example | |||
name: aqua-registry-secret # example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
duplicates #110
## Configurable Variables | ||
|
||
### KubeEnforcer | ||
|
||
| Parameter | Description | Default | | ||
| --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- | | ||
| `imageCredentials.create` | Set if to create new pull image secret | `true` | | ||
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-image-pull-secret` | | ||
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
duplicates #110
@@ -71,21 +81,25 @@ Optional flags: | |||
--aquaSecret.kubeEnforcerToken default to "" you can find the KubeEnforcer token from aqua csp under enforcers tab in default/custom KubeEnforcer group or you can manually approve KubeEnforcer authentication from aqua CSP under default/custom KubeEnforcer group in enforcers tab. | |||
``` | |||
|
|||
## ClusterRole | |||
|
|||
KubeEnforcer needs a dedicated clusterrole with **get, list, watch** permissions on **pods, secrets, nodes, namespaces, deployments, replicasets, replicationcontrollers, statefulsets, daemonsets, jobs, cronjobs, clusterroles, clusterrolebindings, componentstatuses** to perform discovery on the cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This Chart already contains a ClusterRole
, I would find this very confusing; this makes it sound like I need to add a ClusterRole
myself.
I've also made a bunch of PRs to fix some very confusing and buggy inconsistencies and this adds a new inconsistency: the Server Chart also has a ClusterRole
, but nothing is mentioned there...
It also doesn't say why it needs each of those permissions.
ToC also wasn't updated...
I'm not sure what you mean because per my in-line comment the
Ok well I only commented on what duplicated my existing PRs and the I'm not the only user that's found this repo incredibly difficult to use (see the issues and feedback from CS), but you all don't have to take mine or anyone's feedback if you don't want to. |
These changes are suggested as enhancements to docs.
@eranbibi @niso120b