Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add additional k8s rbac resources #514

Merged
merged 1 commit into from Feb 6, 2019

Conversation

Projects
None yet
2 participants
@mstemm
Copy link
Contributor

commented Feb 1, 2019

Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.

Add additional k8s rbac resources
Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.
@@ -15,7 +15,7 @@ metadata:
role: security
rules:
- apiGroups: ["extensions",""]
resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]

This comment has been minimized.

Copy link
@JPLachance

JPLachance Feb 1, 2019

Contributor

replicasets, daemonsets and deployments are now in the apps API group. I think we need to extend the apiGroups array with apps for this change to work 🙂

This comment has been minimized.

Copy link
@mstemm

mstemm Feb 1, 2019

Author Contributor

Oh yes, right. I think I'm just going to sync this up with the commercial agent's rbac config, which is structured differently. Let me spend some time to do that.

@mstemm

This comment has been minimized.

Copy link
Contributor Author

commented Feb 4, 2019

@JPLachance pointed out that many resources e.g. deployments/daemonsets/replicasets are also available via the apps/v1 endpoint. The k8s metadata code in oss sysdig (which is used by oss falco) still uses the extensions/v1beta1 endpoints. Eventually those endpoints will go away, so the sysdig code will need to switch to the new endpoints.

@mstemm

This comment has been minimized.

Copy link
Contributor Author

commented Feb 4, 2019

Filed draios/sysdig#1308 on sysdig to track updating it to use the new endpoints.

@JPLachance
Copy link
Contributor

left a comment

Since Sysdig does not support the apps/v1 endpoint yet, this PR works just fine!

@mstemm

This comment has been minimized.

Copy link
Contributor Author

commented Feb 6, 2019

Checked with how we do our internal RBAC and these choices are correct given the paths we use, so merging.

@mstemm mstemm merged commit bd4c3ff into dev Feb 6, 2019

2 checks passed

Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details

daixiang0 added a commit to daixiang0/falco that referenced this pull request Feb 10, 2019

Add additional k8s rbac resources (falcosecurity#514)
Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.