Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional k8s rbac resources #514

Merged
merged 1 commit into from
Feb 6, 2019
Merged

Add additional k8s rbac resources #514

merged 1 commit into from
Feb 6, 2019

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Feb 1, 2019

Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.

@mstemm
Add additional k8s rbac resources
ef853ad 
Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.
JPLachance
JPLachance reviewed Feb 1, 2019
View reviewed changes
integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
@@ -15,7 +15,7 @@ metadata:
role: security
rules:
- apiGroups: ["extensions",""]
resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
Copy link
Contributor

@JPLachance JPLachance Feb 1, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replicasets, daemonsets and deployments are now in the apps API group. I think we need to extend the apiGroups array with apps for this change to work 🙂

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yes, right. I think I'm just going to sync this up with the commercial agent's rbac config, which is structured differently. Let me spend some time to do that.

@mstemm
Copy link
Contributor Author

mstemm commented Feb 4, 2019

@JPLachance pointed out that many resources e.g. deployments/daemonsets/replicasets are also available via the apps/v1 endpoint. The k8s metadata code in oss sysdig (which is used by oss falco) still uses the extensions/v1beta1 endpoints. Eventually those endpoints will go away, so the sysdig code will need to switch to the new endpoints.

@mstemm
Copy link
Contributor Author

mstemm commented Feb 4, 2019

Filed draios/sysdig#1308 on sysdig to track updating it to use the new endpoints.

JPLachance
JPLachance approved these changes Feb 4, 2019
View reviewed changes
Copy link
Contributor

@JPLachance JPLachance left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since Sysdig does not support the apps/v1 endpoint yet, this PR works just fine!

@mstemm
Copy link
Contributor Author

mstemm commented Feb 6, 2019

Checked with how we do our internal RBAC and these choices are correct given the paths we use, so merging.

@mstemm mstemm merged commit bd4c3ff into dev Feb 6, 2019
@rytswd rytswd mentioned this pull request Aug 20, 2019
Merged
4 tasks
@fntlnz fntlnz deleted the add-addl-rbac-resources branch April 7, 2020 14:47
@appimpersonator appimpersonator bot mentioned this pull request Mar 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JPLachance JPLachance JPLachance approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mstemm @JPLachance