diff --git a/docs/setup-robusta/crds.rst b/docs/setup-robusta/crds.rst index dc557d54c..0d188ba8c 100644 --- a/docs/setup-robusta/crds.rst +++ b/docs/setup-robusta/crds.rst @@ -83,6 +83,26 @@ Or to monitor all resources in an API group: - "list" - "get" +Default CRD Permissions +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Robusta includes read-only permissions for common Kubernetes operators and tools by default. These can be individually enabled or disabled: + +.. code-block:: yaml + + runner: + crdPermissions: + argo: true # Argo CD, Argo Workflows, Argo Rollouts + flux: true # Flux CD (GitOps toolkit) + kafka: true # Strimzi Kafka + keda: true # KEDA autoscaler + crossplane: true # Crossplane + istio: true # Istio service mesh + gatewayApi: true # Kubernetes Gateway API + velero: true # Velero backup/restore + externalSecrets: true # External Secrets Operator + + Applying the Configuration ^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/helm/robusta/templates/runner-service-account.yaml b/helm/robusta/templates/runner-service-account.yaml index 18718f5fd..434413377 100644 --- a/helm/robusta/templates/runner-service-account.yaml +++ b/helm/robusta/templates/runner-service-account.yaml @@ -328,6 +328,221 @@ rules: - patch - update {{- end }} +{{- if .Values.runner.crdPermissions.argo }} + # Argo CD and Argo Workflows + - apiGroups: + - argoproj.io + resources: + - applications + - applicationsets + - appprojects + - workflows + - workflowtemplates + - cronworkflows + - rollouts + - analysisruns + - analysistemplates + - experiments + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.flux }} + # Flux CD + - apiGroups: + - source.toolkit.fluxcd.io + resources: + - gitrepositories + - helmrepositories + - helmcharts + - ocirepositories + - buckets + verbs: + - get + - list + - watch + - apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - kustomizations + verbs: + - get + - list + - watch + - apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmreleases + verbs: + - get + - list + - watch + - apiGroups: + - notification.toolkit.fluxcd.io + resources: + - alerts + - providers + - receivers + verbs: + - get + - list + - watch + - apiGroups: + - image.toolkit.fluxcd.io + resources: + - imagepolicies + - imagerepositories + - imageupdateautomations + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.kafka }} + # Strimzi Kafka + - apiGroups: + - kafka.strimzi.io + resources: + - kafkas + - kafkatopics + - kafkausers + - kafkaconnects + - kafkaconnectors + - kafkamirrormakers + - kafkamirrormaker2s + - kafkabridges + - kafkarebalances + verbs: + - get + - list + - watch + - apiGroups: + - core.strimzi.io + resources: + - strimzipodsets + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.keda }} + # KEDA + - apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledjobs + - triggerauthentications + - clustertriggerauthentications + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.crossplane }} + # Crossplane + - apiGroups: + - pkg.crossplane.io + resources: + - providers + - configurations + - providerrevisions + - configurationrevisions + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions + - compositions + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.istio }} + # Istio + - apiGroups: + - networking.istio.io + resources: + - virtualservices + - destinationrules + - gateways + - serviceentries + - sidecars + - envoyfilters + - workloadentries + - workloadgroups + verbs: + - get + - list + - watch + - apiGroups: + - security.istio.io + resources: + - peerauthentications + - requestauthentications + - authorizationpolicies + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.gatewayApi }} + # Gateway API + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - gatewayclasses + - httproutes + - grpcroutes + - tcproutes + - udproutes + - tlsroutes + - referencegrants + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.velero }} + # Velero + - apiGroups: + - velero.io + resources: + - backups + - restores + - schedules + - backupstoragelocations + - volumesnapshotlocations + - podvolumebackups + - podvolumerestores + - downloadrequests + - deletebackuprequests + - serverstatusrequests + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.runner.crdPermissions.externalSecrets }} + # External Secrets Operator + - apiGroups: + - external-secrets.io + resources: + - externalsecrets + - secretstores + - clustersecretstores + - clusterexternalsecrets + verbs: + - get + - list + - watch +{{- end }} --- apiVersion: v1 diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml index 8c7f3230e..a377f0722 100644 --- a/helm/robusta/values.yaml +++ b/helm/robusta/values.yaml @@ -111,6 +111,7 @@ monitorHelmReleases: true argoRollouts: false + # scale alerts processing. # Used to support clusters with high load of alerts. When used, the runner will consume more memory scaleAlertsProcessing: False @@ -738,6 +739,17 @@ runner: # Enable hardened filesystem security (read-only root filesystem with writable volume mounts) hardenedFs: false setKRRSecurityContext: false +# CRD permissions for common Kubernetes operators and tools + crdPermissions: + argo: true + flux: true + kafka: true + keda: true + crossplane: true + istio: true + gatewayApi: true + velero: true + externalSecrets: true kube-prometheus-stack: alertmanager: