From ecf6130682ff984524938860a88190a51d6daa4a Mon Sep 17 00:00:00 2001 From: Roi Glinik Date: Thu, 18 Dec 2025 13:43:17 +0200 Subject: [PATCH 1/4] add default crd permission for common kubernetes tools Signed-off-by: Roi Glinik --- .../templates/runner-service-account.yaml | 201 ++++++++++++++++++ helm/robusta/values.yaml | 10 + 2 files changed, 211 insertions(+) diff --git a/helm/robusta/templates/runner-service-account.yaml b/helm/robusta/templates/runner-service-account.yaml index 18718f5fd..d0e23fde4 100644 --- a/helm/robusta/templates/runner-service-account.yaml +++ b/helm/robusta/templates/runner-service-account.yaml @@ -328,6 +328,207 @@ rules: - patch - update {{- end }} +{{- if .Values.crdPermissions.argo }} + # Argo CD and Argo Workflows + - apiGroups: + - argoproj.io + resources: + - applications + - applicationsets + - appprojects + - workflows + - workflowtemplates + - cronworkflows + - rollouts + - analysisruns + - analysistemplates + - experiments + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.flux }} + # Flux CD + - apiGroups: + - source.toolkit.fluxcd.io + resources: + - gitrepositories + - helmrepositories + - helmcharts + - ocirepositories + - buckets + verbs: + - get + - list + - watch + - apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - kustomizations + verbs: + - get + - list + - watch + - apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmreleases + verbs: + - get + - list + - watch + - apiGroups: + - notification.toolkit.fluxcd.io + resources: + - alerts + - providers + - receivers + verbs: + - get + - list + - watch + - apiGroups: + - image.toolkit.fluxcd.io + resources: + - imagepolicies + - imagerepositories + - imageupdateautomations + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.kafka }} + # Strimzi Kafka + - apiGroups: + - kafka.strimzi.io + resources: + - kafkas + - kafkatopics + - kafkausers + - kafkaconnects + - kafkaconnectors + - kafkamirrormakers + - kafkamirrormaker2s + - kafkabridges + - kafkarebalances + verbs: + - get + - list + - watch + - apiGroups: + - core.strimzi.io + resources: + - strimzipodsets + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.keda }} + # KEDA + - apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledjobs + - triggerauthentications + - clustertriggerauthentications + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.crossplane }} + # Crossplane + - apiGroups: + - pkg.crossplane.io + resources: + - providers + - configurations + - providerrevisions + - configurationrevisions + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.crossplane.io + resources: + - compositeresourcedefinitions + - compositions + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.istio }} + # Istio + - apiGroups: + - networking.istio.io + resources: + - virtualservices + - destinationrules + - gateways + - serviceentries + - sidecars + - envoyfilters + - workloadentries + - workloadgroups + verbs: + - get + - list + - watch + - apiGroups: + - security.istio.io + resources: + - peerauthentications + - requestauthentications + - authorizationpolicies + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.gatewayApi }} + # Gateway API + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - gatewayclasses + - httproutes + - grpcroutes + - tcproutes + - udproutes + - tlsroutes + - referencegrants + verbs: + - get + - list + - watch +{{- end }} +{{- if .Values.crdPermissions.velero }} + # Velero + - apiGroups: + - velero.io + resources: + - backups + - restores + - schedules + - backupstoragelocations + - volumesnapshotlocations + - podvolumebackups + - podvolumerestores + - downloadrequests + - deletebackuprequests + - serverstatusrequests + verbs: + - get + - list + - watch +{{- end }} --- apiVersion: v1 diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml index 8c7f3230e..6e0fc9214 100644 --- a/helm/robusta/values.yaml +++ b/helm/robusta/values.yaml @@ -110,6 +110,16 @@ enableServiceMonitors: true monitorHelmReleases: true argoRollouts: false +# CRD permissions for common Kubernetes operators and tools +crdPermissions: + argo: true + flux: true + kafka: true + keda: true + crossplane: true + istio: true + gatewayApi: true + velero: true # scale alerts processing. # Used to support clusters with high load of alerts. When used, the runner will consume more memory From 63fc178af4ad9196c7ab38a7678d728650329b9d Mon Sep 17 00:00:00 2001 From: Roi Glinik Date: Thu, 18 Dec 2025 13:44:12 +0200 Subject: [PATCH 2/4] add docs short description Signed-off-by: Roi Glinik --- docs/setup-robusta/crds.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/setup-robusta/crds.rst b/docs/setup-robusta/crds.rst index dc557d54c..c4e3e2232 100644 --- a/docs/setup-robusta/crds.rst +++ b/docs/setup-robusta/crds.rst @@ -83,6 +83,24 @@ Or to monitor all resources in an API group: - "list" - "get" +Default CRD Permissions +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Robusta includes read-only permissions for common Kubernetes operators and tools by default. These can be individually enabled or disabled: + +.. code-block:: yaml + + crdPermissions: + argo: true # Argo CD, Argo Workflows, Argo Rollouts + flux: true # Flux CD (GitOps toolkit) + kafka: true # Strimzi Kafka + keda: true # KEDA autoscaler + crossplane: true # Crossplane + istio: true # Istio service mesh + gatewayApi: true # Kubernetes Gateway API + velero: true # Velero backup/restore + + Applying the Configuration ^^^^^^^^^^^^^^^^^^^^^^^^^^^ From f5403f2933384c3c657894114198ed9e7fdbb704 Mon Sep 17 00:00:00 2001 From: Roi Glinik Date: Thu, 18 Dec 2025 14:28:00 +0200 Subject: [PATCH 3/4] move values to runner scope Signed-off-by: Roi Glinik --- docs/setup-robusta/crds.rst | 19 +++++++++-------- .../templates/runner-service-account.yaml | 16 +++++++------- helm/robusta/values.yaml | 21 ++++++++++--------- 3 files changed, 29 insertions(+), 27 deletions(-) diff --git a/docs/setup-robusta/crds.rst b/docs/setup-robusta/crds.rst index c4e3e2232..2fb45fdd7 100644 --- a/docs/setup-robusta/crds.rst +++ b/docs/setup-robusta/crds.rst @@ -90,15 +90,16 @@ Robusta includes read-only permissions for common Kubernetes operators and tools .. code-block:: yaml - crdPermissions: - argo: true # Argo CD, Argo Workflows, Argo Rollouts - flux: true # Flux CD (GitOps toolkit) - kafka: true # Strimzi Kafka - keda: true # KEDA autoscaler - crossplane: true # Crossplane - istio: true # Istio service mesh - gatewayApi: true # Kubernetes Gateway API - velero: true # Velero backup/restore + runner: + crdPermissions: + argo: true # Argo CD, Argo Workflows, Argo Rollouts + flux: true # Flux CD (GitOps toolkit) + kafka: true # Strimzi Kafka + keda: true # KEDA autoscaler + crossplane: true # Crossplane + istio: true # Istio service mesh + gatewayApi: true # Kubernetes Gateway API + velero: true # Velero backup/restore Applying the Configuration diff --git a/helm/robusta/templates/runner-service-account.yaml b/helm/robusta/templates/runner-service-account.yaml index d0e23fde4..d87b47833 100644 --- a/helm/robusta/templates/runner-service-account.yaml +++ b/helm/robusta/templates/runner-service-account.yaml @@ -328,7 +328,7 @@ rules: - patch - update {{- end }} -{{- if .Values.crdPermissions.argo }} +{{- if .Values.runner.crdPermissions.argo }} # Argo CD and Argo Workflows - apiGroups: - argoproj.io @@ -348,7 +348,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.flux }} +{{- if .Values.runner.crdPermissions.flux }} # Flux CD - apiGroups: - source.toolkit.fluxcd.io @@ -399,7 +399,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.kafka }} +{{- if .Values.runner.crdPermissions.kafka }} # Strimzi Kafka - apiGroups: - kafka.strimzi.io @@ -426,7 +426,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.keda }} +{{- if .Values.runner.crdPermissions.keda }} # KEDA - apiGroups: - keda.sh @@ -440,7 +440,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.crossplane }} +{{- if .Values.runner.crdPermissions.crossplane }} # Crossplane - apiGroups: - pkg.crossplane.io @@ -463,7 +463,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.istio }} +{{- if .Values.runner.crdPermissions.istio }} # Istio - apiGroups: - networking.istio.io @@ -491,7 +491,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.gatewayApi }} +{{- if .Values.runner.crdPermissions.gatewayApi }} # Gateway API - apiGroups: - gateway.networking.k8s.io @@ -509,7 +509,7 @@ rules: - list - watch {{- end }} -{{- if .Values.crdPermissions.velero }} +{{- if .Values.runner.crdPermissions.velero }} # Velero - apiGroups: - velero.io diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml index 6e0fc9214..f383b26b4 100644 --- a/helm/robusta/values.yaml +++ b/helm/robusta/values.yaml @@ -110,16 +110,7 @@ enableServiceMonitors: true monitorHelmReleases: true argoRollouts: false -# CRD permissions for common Kubernetes operators and tools -crdPermissions: - argo: true - flux: true - kafka: true - keda: true - crossplane: true - istio: true - gatewayApi: true - velero: true + # scale alerts processing. # Used to support clusters with high load of alerts. When used, the runner will consume more memory @@ -748,6 +739,16 @@ runner: # Enable hardened filesystem security (read-only root filesystem with writable volume mounts) hardenedFs: false setKRRSecurityContext: false +# CRD permissions for common Kubernetes operators and tools + crdPermissions: + argo: true + flux: true + kafka: true + keda: true + crossplane: true + istio: true + gatewayApi: true + velero: true kube-prometheus-stack: alertmanager: From 77f99348ba57a39c595c7f586b2e245da7151f63 Mon Sep 17 00:00:00 2001 From: Roi Glinik Date: Thu, 25 Dec 2025 18:10:10 +0200 Subject: [PATCH 4/4] add basic external secrets CRDS Signed-off-by: Roi Glinik --- docs/setup-robusta/crds.rst | 17 +++++++++-------- .../templates/runner-service-account.yaml | 14 ++++++++++++++ helm/robusta/values.yaml | 1 + 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/docs/setup-robusta/crds.rst b/docs/setup-robusta/crds.rst index 2fb45fdd7..0d188ba8c 100644 --- a/docs/setup-robusta/crds.rst +++ b/docs/setup-robusta/crds.rst @@ -92,14 +92,15 @@ Robusta includes read-only permissions for common Kubernetes operators and tools runner: crdPermissions: - argo: true # Argo CD, Argo Workflows, Argo Rollouts - flux: true # Flux CD (GitOps toolkit) - kafka: true # Strimzi Kafka - keda: true # KEDA autoscaler - crossplane: true # Crossplane - istio: true # Istio service mesh - gatewayApi: true # Kubernetes Gateway API - velero: true # Velero backup/restore + argo: true # Argo CD, Argo Workflows, Argo Rollouts + flux: true # Flux CD (GitOps toolkit) + kafka: true # Strimzi Kafka + keda: true # KEDA autoscaler + crossplane: true # Crossplane + istio: true # Istio service mesh + gatewayApi: true # Kubernetes Gateway API + velero: true # Velero backup/restore + externalSecrets: true # External Secrets Operator Applying the Configuration diff --git a/helm/robusta/templates/runner-service-account.yaml b/helm/robusta/templates/runner-service-account.yaml index d87b47833..434413377 100644 --- a/helm/robusta/templates/runner-service-account.yaml +++ b/helm/robusta/templates/runner-service-account.yaml @@ -529,6 +529,20 @@ rules: - list - watch {{- end }} +{{- if .Values.runner.crdPermissions.externalSecrets }} + # External Secrets Operator + - apiGroups: + - external-secrets.io + resources: + - externalsecrets + - secretstores + - clustersecretstores + - clusterexternalsecrets + verbs: + - get + - list + - watch +{{- end }} --- apiVersion: v1 diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml index f383b26b4..a377f0722 100644 --- a/helm/robusta/values.yaml +++ b/helm/robusta/values.yaml @@ -749,6 +749,7 @@ runner: istio: true gatewayApi: true velero: true + externalSecrets: true kube-prometheus-stack: alertmanager: