Merge branch 'master' into ROB-2502-upgrade-runner-supabase-version

Author: moshemorad

Dockerfile

@@ -8,11 +8,13 @@ RUN apt-get update \
     && pip3 install --no-cache-dir --upgrade pip \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ENV_TYPE=DEV
-
 RUN mkdir /app
 WORKDIR /app
 
+RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key -o /app/Release.key
+
+ENV ENV_TYPE=DEV
+
 # Create and activate virtual environment
 RUN python -m venv /app/venv --upgrade-deps && \
     . /app/venv/bin/activate
@@ -67,7 +69,7 @@ WORKDIR /app
 RUN apt-get update \
     && dpkg --add-architecture arm64 \
     && pip3 install --no-cache-dir --upgrade pip \
-    && apt-get install -y --no-install-recommends git ssh curl libcairo2 \
+    && apt-get install -y --no-install-recommends git ssh curl libcairo2 apt-transport-https gnupg2 \
     && apt-get install -y --no-install-recommends libexpat1 \
     && rm -rf /var/lib/apt/lists/*
 
@@ -84,6 +86,15 @@ COPY --from=builder /etc/robusta/playbooks/defaults /etc/robusta/playbooks/defau
 # Copy virtual environment and application files from the build stage
 COPY --from=builder /app /app
 
+# Set up kubectl
+COPY --from=builder /app/Release.key /tmp/Release.key
+RUN cat /tmp/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg \
+    && echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list \
+    && apt-get update \
+    && apt-get install -y kubectl \
+    && rm -rf /var/lib/apt/lists/* \
+    && rm /tmp/Release.key
+
 # Run the application
 # -u disables stdout buffering https://stackoverflow.com/questions/107705/disable-output-buffering
 CMD [ "python3", "-u", "-m", "robusta.runner.main"]

docs/index.rst

@@ -130,6 +130,7 @@
 
    configuration/exporting/robusta-pro-features
    setup-robusta/alertsui
+   setup-robusta/crds
    configuration/exporting/send-alerts-api
    configuration/exporting/configuration-changes-api
    configuration/exporting/alert-export-api

docs/setup-robusta/crds.rst

@@ -0,0 +1,123 @@
+=============================================
+Custom Resource Definitions (CRDs) Monitoring
+=============================================
+
+Overview
+--------
+
+The CRDs monitoring feature enables you to view and manage Custom Resource Definitions and their instances directly from the Robusta UI. This powerful feature provides visibility into:
+
+* All CRDs deployed in your clusters
+* Individual CR (Custom Resource) instances and their status
+* Resource events and history
+* Full YAML manifests
+* Detailed resource descriptions
+
+Prerequisites
+-------------
+
+To enable CRD monitoring, the Robusta agent needs appropriate permissions to read custom resources in your cluster. This requires adding cluster role rules to your Robusta configuration.
+
+Configuration
+-------------
+
+Basic Configuration
+^^^^^^^^^^^^^^^^^^^
+
+Specify read permissions for the CRDs you need to monitor:
+
+.. code-block:: yaml
+
+    runner:
+      customClusterRoleRules:
+      - apiGroups:
+          - "cert-manager.io"
+        resources:
+          - "certificates"
+          - "certificaterequests"
+          - "issuers"
+          - "clusterissuers"
+        verbs:
+          - "list"
+          - "get"
+      - apiGroups:
+          - "acme.cert-manager.io"
+        resources:
+          - "challenges"
+          - "orders"
+        verbs:
+          - "list"
+          - "get"
+
+Applying the Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. Update your ``values.yaml`` file with the desired configuration
+2. Apply the changes using Helm:
+
+.. code-block:: bash
+
+    helm upgrade robusta robusta/robusta \
+      --values values.yaml \
+      --namespace robusta \
+      --reuse-values
+
+Automatic Configuration with Holmes AI
+---------------------------------------
+
+Instead of manually configuring permissions for each CRD, you can use Holmes AI to automatically generate the configuration for all CRDs in your cluster.
+
+Using Holmes to Generate Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. Navigate to the **Holmes Ask** page in the Robusta UI
+2. Use the following prompt:
+
+.. code-block:: text
+
+    I want to add read only cluster roles for all the crds in my cluster.
+    This is the format for adding one:
+    runner:
+      customClusterRoleRules:
+        - apiGroups:
+            - "storage.k8s.io"
+          resources:
+            - "storageclasses"
+          verbs:
+            - "list"
+            - "get"
+    Prepare my config
+
+3. Holmes will analyze your cluster and generate a complete configuration including all CRDs
+4. Copy the generated configuration and add it to your ``values.yaml``
+5. Apply the configuration using Helm as described above
+
+.. tip::
+    After Holmes generates the configuration, you can review and modify it to remove any CRDs you don't want to monitor before applying it.
+
+Troubleshooting
+---------------
+
+Common Issues and Solutions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+**Issue 1: CRDs not appearing in UI**
+
+* **Check permissions**: Verify the ClusterRole has the correct permissions
+
+  .. code-block:: bash
+
+      kubectl get clusterrole robusta-runner -o yaml
+
+* **Check agent logs**: Look for permission errors
+
+  .. code-block:: bash
+
+      kubectl logs -n robusta deployment/robusta-runner | grep -i "forbidden"
+
+**Issue 2: "Forbidden" errors when accessing CRDs**
+
+* **Solution**: Add the specific apiGroup and resource to ``customClusterRoleRules``
+* **Example error**: ``cannot get resource "certificates" in API group "cert-manager.io"``
+* **Fix**: Add the cert-manager.io apiGroup with certificates resource
+

helm/robusta/templates/runner-service-account.yaml

@@ -7,6 +7,14 @@ rules:
   {{- if .Values.runner.customClusterRoleRules }}
 {{ toYaml .Values.runner.customClusterRoleRules | indent 2 }}
   {{- end }}
+  - apiGroups:
+      - "apiextensions.k8s.io"
+    resources:
+      - "customresourcedefinitions"
+    verbs:
+      - "list"
+      - "get"
+
   - apiGroups:
       - ""
     resources:

helm/robusta/values.yaml

@@ -92,6 +92,11 @@ lightActions:
 - holmes_chat
 - holmes_workload_chat
 - list_pods
+- kubectl_describe
+- fetch_resource_yaml
+- fetch_resource_events
+- fetch_crds
+- fetch_cr_instances
 
 # install prometheus, alert-manager, and grafana along with Robusta?
 enablePrometheusStack: false

src/robusta/core/model/env_vars.py

@@ -140,4 +140,6 @@ def load_bool(env_var, default: bool):
 
 # enable custom CRDs supported by robusta "["StrimziPodSet", "Cluster"]"
 CUSTOM_CRD = json.loads(os.environ.get("CUSTOM_CRD", "[]"))
-SET_KRR_SECURITY_CONTEXT = load_bool("SET_KRR_SECURITY_CONTEXT", False)
+SET_KRR_SECURITY_CONTEXT = load_bool("SET_KRR_SECURITY_CONTEXT", False)
+
+KUBECTL_CMD_TIMEOUT_SEC=int(os.environ.get("KUBECTL_CMD_TIMEOUT_SEC", 180))