ROB-2714 more crds default access

docs/setup-robusta/crds.rst

@@ -83,6 +83,26 @@ Or to monitor all resources in an API group:
           - "list"
           - "get"
 
+Default CRD Permissions 
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Robusta includes read-only permissions for common Kubernetes operators and tools by default. These can be individually enabled or disabled:
+
+.. code-block:: yaml
+
+    runner:
+      crdPermissions:
+        argo: true             # Argo CD, Argo Workflows, Argo Rollouts
+        flux: true             # Flux CD (GitOps toolkit)
+        kafka: true            # Strimzi Kafka
+        keda: true             # KEDA autoscaler
+        crossplane: true       # Crossplane
+        istio: true            # Istio service mesh
+        gatewayApi: true       # Kubernetes Gateway API
+        velero: true           # Velero backup/restore
+        externalSecrets: true  # External Secrets Operator
+
+
 Applying the Configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

helm/robusta/templates/runner-service-account.yaml

@@ -328,6 +328,221 @@ rules:
     - patch
     - update
 {{- end }}
+{{- if .Values.runner.crdPermissions.argo }}
+  # Argo CD and Argo Workflows
+  - apiGroups:
+    - argoproj.io
+    resources:
+    - applications
+    - applicationsets
+    - appprojects
+    - workflows
+    - workflowtemplates
+    - cronworkflows
+    - rollouts
+    - analysisruns
+    - analysistemplates
+    - experiments
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.flux }}
+  # Flux CD
+  - apiGroups:
+    - source.toolkit.fluxcd.io
+    resources:
+    - gitrepositories
+    - helmrepositories
+    - helmcharts
+    - ocirepositories
+    - buckets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - kustomize.toolkit.fluxcd.io
+    resources:
+    - kustomizations
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - helm.toolkit.fluxcd.io
+    resources:
+    - helmreleases
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - notification.toolkit.fluxcd.io
+    resources:
+    - alerts
+    - providers
+    - receivers
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - image.toolkit.fluxcd.io
+    resources:
+    - imagepolicies
+    - imagerepositories
+    - imageupdateautomations
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.kafka }}
+  # Strimzi Kafka
+  - apiGroups:
+    - kafka.strimzi.io
+    resources:
+    - kafkas
+    - kafkatopics
+    - kafkausers
+    - kafkaconnects
+    - kafkaconnectors
+    - kafkamirrormakers
+    - kafkamirrormaker2s
+    - kafkabridges
+    - kafkarebalances
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - core.strimzi.io
+    resources:
+    - strimzipodsets
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.keda }}
+  # KEDA
+  - apiGroups:
+    - keda.sh
+    resources:
+    - scaledobjects
+    - scaledjobs
+    - triggerauthentications
+    - clustertriggerauthentications
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.crossplane }}
+  # Crossplane
+  - apiGroups:
+    - pkg.crossplane.io
+    resources:
+    - providers
+    - configurations
+    - providerrevisions
+    - configurationrevisions
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apiextensions.crossplane.io
+    resources:
+    - compositeresourcedefinitions
+    - compositions
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.istio }}
+  # Istio
+  - apiGroups:
+    - networking.istio.io
+    resources:
+    - virtualservices
+    - destinationrules
+    - gateways
+    - serviceentries
+    - sidecars
+    - envoyfilters
+    - workloadentries
+    - workloadgroups
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - security.istio.io
+    resources:
+    - peerauthentications
+    - requestauthentications
+    - authorizationpolicies
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.gatewayApi }}
+  # Gateway API
+  - apiGroups:
+    - gateway.networking.k8s.io
+    resources:
+    - gateways
+    - gatewayclasses
+    - httproutes
+    - grpcroutes
+    - tcproutes
+    - udproutes
+    - tlsroutes
+    - referencegrants
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.velero }}
+  # Velero
+  - apiGroups:
+    - velero.io
+    resources:
+    - backups
+    - restores
+    - schedules
+    - backupstoragelocations
+    - volumesnapshotlocations
+    - podvolumebackups
+    - podvolumerestores
+    - downloadrequests
+    - deletebackuprequests
+    - serverstatusrequests
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if .Values.runner.crdPermissions.externalSecrets }}
+  # External Secrets Operator
+  - apiGroups:
+    - external-secrets.io
+    resources:
+    - externalsecrets
+    - secretstores
+    - clustersecretstores
+    - clusterexternalsecrets
+    verbs:
+    - get
+    - list
+    - watch
+{{- end }}
 
 ---
 apiVersion: v1

helm/robusta/values.yaml

@@ -111,6 +111,7 @@ monitorHelmReleases: true
 argoRollouts: false
 
 
+
 # scale alerts processing.
 # Used to support clusters with high load of alerts. When used, the runner will consume more memory
 scaleAlertsProcessing: False
@@ -738,6 +739,17 @@ runner:
   # Enable hardened filesystem security (read-only root filesystem with writable volume mounts)
   hardenedFs: false
   setKRRSecurityContext: false
+# CRD permissions for common Kubernetes operators and tools
+  crdPermissions:
+    argo: true
+    flux: true
+    kafka: true
+    keda: true
+    crossplane: true
+    istio: true
+    gatewayApi: true
+    velero: true
+    externalSecrets: true
 
 kube-prometheus-stack:
   alertmanager: