-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add additional k8s rbac resources #514
Conversation
Falco also needs to list/watch replicasets, daemonsets, and deployments, so add them to the resources list.
@@ -15,7 +15,7 @@ metadata: | |||
role: security | |||
rules: | |||
- apiGroups: ["extensions",""] | |||
resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"] | |||
resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replicasets
, daemonsets
and deployments
are now in the apps
API group. I think we need to extend the apiGroups
array with apps
for this change to work 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yes, right. I think I'm just going to sync this up with the commercial agent's rbac config, which is structured differently. Let me spend some time to do that.
@JPLachance pointed out that many resources e.g. deployments/daemonsets/replicasets are also available via the |
Filed draios/sysdig#1308 on sysdig to track updating it to use the new endpoints. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since Sysdig does not support the apps/v1
endpoint yet, this PR works just fine!
Checked with how we do our internal RBAC and these choices are correct given the paths we use, so merging. |
Falco also needs to list/watch replicasets, daemonsets, and deployments,
so add them to the resources list.