Skip to content

[Feature] Enable ML Operator and add required Platform Roles #1952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 11, 2025
Merged

[Feature] Enable ML Operator and add required Platform Roles #1952

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e24dc1b
[Feature] Enable ML Operator and add required Platform Roles
ajanikow Aug 11, 2025
40d1c53
Merge branch 'master' into feature/platform/add_required_roles
ajanikow Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Change Log

## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
- (Feature) Enable ML Operator and add required Platform Roles

## [1.3.0](https://github.com/arangodb/kube-arangodb/tree/1.3.0) (2025-08-01)
- (Feature) (Platform) Storage Debug
Expand Down
23 changes: 23 additions & 0 deletions chart/kube-arangodb-arm64/templates/platform-operator/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,28 @@ rules:
- "arangoplatformservices"
- "arangoplatformservices/status"
verbs: ["*"]
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "roles"
- "rolebindings"
verbs: [ "*" ]
- apiGroups:
- "batch"
resources:
- "cronjobs"
- "jobs"
verbs: [ "*" ]
- apiGroups: [ "apps" ]
resources:
- "statefulsets"
verbs: [ "*" ]
- apiGroups: [ "" ]
resources:
- "pods"
- "secrets"
- "services"
- "serviceaccounts"
verbs: [ "*" ]
{{- end }}
{{- end }}
23 changes: 23 additions & 0 deletions chart/kube-arangodb-enterprise-arm64/templates/platform-operator/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,28 @@ rules:
- "arangoplatformservices"
- "arangoplatformservices/status"
verbs: ["*"]
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "roles"
- "rolebindings"
verbs: [ "*" ]
- apiGroups:
- "batch"
resources:
- "cronjobs"
- "jobs"
verbs: [ "*" ]
- apiGroups: [ "apps" ]
resources:
- "statefulsets"
verbs: [ "*" ]
- apiGroups: [ "" ]
resources:
- "pods"
- "secrets"
- "services"
- "serviceaccounts"
verbs: [ "*" ]
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion chart/kube-arangodb-enterprise-arm64/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ operator:
backup: false
apps: false
k8sToK8sClusterSync: false
ml: false
ml: true
analytics: false
networking: true
scheduler: true
Expand Down
23 changes: 23 additions & 0 deletions chart/kube-arangodb-enterprise/templates/platform-operator/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,28 @@ rules:
- "arangoplatformservices"
- "arangoplatformservices/status"
verbs: ["*"]
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "roles"
- "rolebindings"
verbs: [ "*" ]
- apiGroups:
- "batch"
resources:
- "cronjobs"
- "jobs"
verbs: [ "*" ]
- apiGroups: [ "apps" ]
resources:
- "statefulsets"
verbs: [ "*" ]
- apiGroups: [ "" ]
resources:
- "pods"
- "secrets"
- "services"
- "serviceaccounts"
verbs: [ "*" ]
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion chart/kube-arangodb-enterprise/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ operator:
backup: false
apps: false
k8sToK8sClusterSync: false
ml: false
ml: true
analytics: false
networking: true
scheduler: true
Expand Down
23 changes: 23 additions & 0 deletions chart/kube-arangodb/templates/platform-operator/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,28 @@ rules:
- "arangoplatformservices"
- "arangoplatformservices/status"
verbs: ["*"]
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "roles"
- "rolebindings"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Granting wildcard permissions () for RBAC resources (roles and rolebindings) poses a significant security risk as it allows the operator to escalate privileges. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete"] instead of "".

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete" ]

Copilot uses AI. Check for mistakes.
- apiGroups:
- "batch"
resources:
- "cronjobs"
- "jobs"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using wildcard permissions (*) for batch resources is overly permissive. Consider limiting to specific operations needed for ML workloads like ["get", "list", "create", "update", "patch", "delete", "watch"].

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ]

Copilot uses AI. Check for mistakes.
- apiGroups: [ "apps" ]
resources:
- "statefulsets"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wildcard permissions (*) for StatefulSets should be restricted to only the necessary operations. Consider using specific verbs like ["get", "list", "create", "update", "patch", "delete", "watch"].

Suggested change
verbs: [ "*" ]
verbs: [ "get", "list", "create", "update", "patch", "delete", "watch" ]

Copilot uses AI. Check for mistakes.
- apiGroups: [ "" ]
resources:
- "pods"
- "secrets"
- "services"
- "serviceaccounts"
verbs: [ "*" ]
Copy link

Copilot AI Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Granting wildcard permissions (*) for core resources including secrets is a security concern as it provides excessive access to sensitive data. Consider limiting to specific operations required for ML functionality.

Suggested change
verbs: [ "*" ]
verbs:
- "get"
- "list"
- "watch"

Copilot uses AI. Check for mistakes.
{{- end }}
{{- end }}