chore: OSS readiness cleanup#32
Merged
Merged
Conversation
- README install: replace `go install bitnami-labs/...` with `git clone + make build` (the module path still points at the upstream repo; the rename is deferred) - Delete docs/CONTRIBUTION.md (stale upstream guide, superseded by root CONTRIBUTING.md) - Delete kubewatch-in-cluster.yaml (byte-for-byte duplicate of kubewatch.yaml) - .gitignore: add .DS_Store, *.test, *.out, coverage.* - Align Go version to 1.26.3 across go.mod, README, CONTRIBUTING (matches Dockerfile) - Move pull_request_template.md to .github/pull_request_template.md (GitHub canonical path) - Broaden kubewatch-service-account.yaml RBAC to cover all watchable resource kinds (apps, batch, networking, rbac, argoproj — previously only pods + rcs) - Remove stray double-quote in slackwebhook.go header comment
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project to Go 1.26.3 across the configuration and documentation, refines the .gitignore file, and updates the README to favor building from source. It also significantly expands the RBAC permissions in kubewatch-service-account.yaml to monitor a wider range of Kubernetes resources and API groups. Review feedback identifies a high-security risk regarding the broad access granted to secrets and suggests adding sudo to the installation instructions to prevent permission errors.
- kubewatch-service-account.yaml: drop `secrets` from the default ClusterRole. Cluster-wide read on secrets is a high privilege and should be opt-in for users who actually enable the `secret` watch flag. Added an explanatory comment block at the top of the file. - README.md: prepend `sudo` to the `install -m 0755 ... /usr/local/bin` command (typically requires root).
blue4209211
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Acts on the readiness-review findings (everything except the Go module rename, which is deliberately deferred, and the
/opt/bitnamicontainer path, which is a runtime change worth its own PR).go install github.com/bitnami-labs/kubewatch@latestwithgit clone + make build(the install command otherwise pulls from upstream, since the module path still points atbitnami-labs).docs/CONTRIBUTION.md— stale upstream guide that still links tobitnami-labs/kubewatch/issues; canonical doc lives atCONTRIBUTING.md.kubewatch-in-cluster.yaml— byte-for-byte duplicate ofkubewatch.yaml, not referenced by README..gitignore: add.DS_Store,*.test,*.out,coverage.*.go.mod,README.md,CONTRIBUTING.md(Dockerfile is already on 1.26.3 for the stdlib CVE patches).pull_request_template.md→.github/pull_request_template.md(GitHub's canonical location).kubewatch-service-account.yamlRBAC: previously onlypods+replicationcontrollers, but the tool watches ~18 resource kinds. Now covers core, apps, batch, networking.k8s.io, rbac, and argoproj.io.pkg/handlers/slackwebhook/slackwebhook.goheader comment.Module rename (
bitnami-labs→nudgebee) and/opt/bitnamicontainer path are explicitly not in this PR.Tests performed
go build ./...go test ./...(all packages pass)