Skip to content

[Feature] Enable ML Operator and add required Platform Roles #1952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 11, 2025
Merged

[Feature] Enable ML Operator and add required Platform Roles #1952

merged 2 commits into from
Aug 11, 2025

Conversation

@ajanikow
Copy link
Collaborator

No description provided.

@cla-bot cla-bot bot added the cla-signed label Aug 11, 2025
@ajanikow ajanikow requested a review from Copilot August 11, 2025 10:07
Copilot AI reviewed Aug 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables the ML (Machine Learning) operator in ArangoDB Kubernetes deployments and adds the required RBAC permissions for the platform operator to manage ML-related resources.

  • Enables the ML operator by setting ml: true in values.yaml files
  • Adds comprehensive RBAC permissions for managing Kubernetes resources needed by ML workloads
  • Updates changelog to document the feature addition

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
chart/kube-arangodb-enterprise/values.yaml Enables ML operator by changing ml flag from false to true
chart/kube-arangodb-enterprise-arm64/values.yaml Enables ML operator by changing ml flag from false to true
chart/kube-arangodb/templates/platform-operator/role.yaml Adds RBAC permissions for RBAC, batch, apps, and core API resources
chart/kube-arangodb-enterprise/templates/platform-operator/role.yaml Adds RBAC permissions for RBAC, batch, apps, and core API resources
chart/kube-arangodb-enterprise-arm64/templates/platform-operator/role.yaml Adds RBAC permissions for RBAC, batch, apps, and core API resources
chart/kube-arangodb-arm64/templates/platform-operator/role.yaml Adds RBAC permissions for RBAC, batch, apps, and core API resources
CHANGELOG.md Documents the feature addition

chart/kube-arangodb/templates/platform-operator/role.yaml
resources:
- "roles"
- "rolebindings"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Granting wildcard permissions () for RBAC resources (roles and rolebindings) poses a significant security risk as it allows the operator to escalate privileges. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete"] instead of "".

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete" ]

Copilot uses AI. Check for mistakes.
chart/kube-arangodb/templates/platform-operator/role.yaml
resources:
- "cronjobs"
- "jobs"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using wildcard permissions (*) for batch resources is overly permissive. Consider limiting to specific operations needed for ML workloads like ["get", "list", "create", "update", "patch", "delete", "watch"].

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ]

Copilot uses AI. Check for mistakes.
chart/kube-arangodb/templates/platform-operator/role.yaml
- apiGroups: [ "apps" ]
resources:
- "statefulsets"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wildcard permissions (*) for StatefulSets should be restricted to only the necessary operations. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete", "watch"].

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ]

Copilot uses AI. Check for mistakes.
chart/kube-arangodb/templates/platform-operator/role.yaml
- "secrets"
- "services"
- "serviceaccounts"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Granting wildcard permissions (*) for core resources including secrets is a security concern as it provides excessive access to sensitive data. Consider limiting to specific operations required for ML functionality.

Suggested change
verbs: [ "*" ]
verbs:
- "get"
- "list"
- "watch"

Copilot uses AI. Check for mistakes.
@ajanikow ajanikow merged commit a330c4b into master Aug 11, 2025
4 checks passed
@ajanikow ajanikow deleted the feature/platform/add_required_roles branch August 11, 2025 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jwierzbo jwierzbo jwierzbo approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ajanikow @jwierzbo