Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add additional k8s rbac resources #514

Merged
merged 1 commit into from
Feb 6, 2019
Merged

Add additional k8s rbac resources #514

merged 1 commit into from
Feb 6, 2019

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Feb 1, 2019

Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.

Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.
@@ -15,7 +15,7 @@ metadata:
role: security
rules:
- apiGroups: ["extensions",""]
resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
Copy link
Contributor

@JPLachance JPLachance Feb 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replicasets, daemonsets and deployments are now in the apps API group. I think we need to extend the apiGroups array with apps for this change to work 🙂

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yes, right. I think I'm just going to sync this up with the commercial agent's rbac config, which is structured differently. Let me spend some time to do that.

@mstemm
Copy link
Contributor Author

mstemm commented Feb 4, 2019

@JPLachance pointed out that many resources e.g. deployments/daemonsets/replicasets are also available via the apps/v1 endpoint. The k8s metadata code in oss sysdig (which is used by oss falco) still uses the extensions/v1beta1 endpoints. Eventually those endpoints will go away, so the sysdig code will need to switch to the new endpoints.

@mstemm
Copy link
Contributor Author

mstemm commented Feb 4, 2019

Filed draios/sysdig#1308 on sysdig to track updating it to use the new endpoints.

Copy link
Contributor

@JPLachance JPLachance left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since Sysdig does not support the apps/v1 endpoint yet, this PR works just fine!

@mstemm
Copy link
Contributor Author

mstemm commented Feb 6, 2019

Checked with how we do our internal RBAC and these choices are correct given the paths we use, so merging.

@mstemm mstemm merged commit bd4c3ff into dev Feb 6, 2019
@fntlnz fntlnz deleted the add-addl-rbac-resources branch April 7, 2020 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants