[Feature] Enable ML Operator and add required Platform Roles #1952
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enables the ML (Machine Learning) operator in ArangoDB Kubernetes deployments and adds the required RBAC permissions for the platform operator to manage ML-related resources.
- Enables the ML operator by setting
ml: truein values.yaml files - Adds comprehensive RBAC permissions for managing Kubernetes resources needed by ML workloads
- Updates changelog to document the feature addition
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| chart/kube-arangodb-enterprise/values.yaml | Enables ML operator by changing ml flag from false to true |
| chart/kube-arangodb-enterprise-arm64/values.yaml | Enables ML operator by changing ml flag from false to true |
| chart/kube-arangodb/templates/platform-operator/role.yaml | Adds RBAC permissions for RBAC, batch, apps, and core API resources |
| chart/kube-arangodb-enterprise/templates/platform-operator/role.yaml | Adds RBAC permissions for RBAC, batch, apps, and core API resources |
| chart/kube-arangodb-enterprise-arm64/templates/platform-operator/role.yaml | Adds RBAC permissions for RBAC, batch, apps, and core API resources |
| chart/kube-arangodb-arm64/templates/platform-operator/role.yaml | Adds RBAC permissions for RBAC, batch, apps, and core API resources |
| CHANGELOG.md | Documents the feature addition |
| resources: | ||
| - "roles" | ||
| - "rolebindings" | ||
| verbs: [ "*" ] |
There was a problem hiding this comment.
Granting wildcard permissions () for RBAC resources (roles and rolebindings) poses a significant security risk as it allows the operator to escalate privileges. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete"] instead of "".
| verbs: [ "*" ] | |
| verbs: [ "get", "list", "create", "update", "patch", "delete" ] |
Copilot uses AI. Check for mistakes.
| resources: | ||
| - "cronjobs" | ||
| - "jobs" | ||
| verbs: [ "*" ] |
There was a problem hiding this comment.
Using wildcard permissions (*) for batch resources is overly permissive. Consider limiting to specific operations needed for ML workloads like ["get", "list", "create", "update", "patch", "delete", "watch"].
| verbs: [ "*" ] | |
| verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ] |
Copilot uses AI. Check for mistakes.
| - apiGroups: [ "apps" ] | ||
| resources: | ||
| - "statefulsets" | ||
| verbs: [ "*" ] |
There was a problem hiding this comment.
Wildcard permissions (*) for StatefulSets should be restricted to only the necessary operations. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete", "watch"].
| verbs: [ "*" ] | |
| verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ] |
Copilot uses AI. Check for mistakes.
| - "secrets" | ||
| - "services" | ||
| - "serviceaccounts" | ||
| verbs: [ "*" ] |
There was a problem hiding this comment.
Granting wildcard permissions (*) for core resources including secrets is a security concern as it provides excessive access to sensitive data. Consider limiting to specific operations required for ML functionality.
| verbs: [ "*" ] | |
| verbs: | |
| - "get" | |
| - "list" | |
| - "watch" |
Copilot uses AI. Check for mistakes.
No description provided.