Robusta can't track secrets changes

[Meeki1]

Is your feature request related to a problem?
I'm trying to set up kubewatch to track secrets changes.
I added role and role-binding for robusta-forwarder-service-account:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: infra-test
  name: read-secrets-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: infra-test
  name: read-secrets-role-binding
subjects:
- kind: ServiceAccount
  name: robusta-forwarder-service-account
  namespace: infra-robusta
roleRef:
  kind: Role
  name: read-secrets-role
  apiGroup: rbac.authorization.k8s.io

I created custom playbook:

name: UpdateSecret
triggers:
  - on_kubernetes_any_resource_all_changes:
      name_prefix: test-secret
      namespace_prefix: infra-test
actions:
  - create_finding:
      title: "resource $name in namespace $namespace was updated"
      aggregation_key: resource_modified
sinks:
  - robusta-alerts-stage

And added some lines in chart:

kubewatch:
  config:
    namespace: infra-test
    resource:
      secret: true

I received an error:

Traceback (most recent call last):
  File "/app/src/robusta/core/playbooks/playbooks_event_handler_impl.py", line 61, in handle_trigger
    execution_event.sink_findings = sink_findings
AttributeError: 'NoneType' object has no attribute 'sink_findings'

Describe the solution you'd like
I want to be able to track secrets changes. It may not be necessary to grant read permissions to secrets. Watch permissions should be enogh, as I think

Additional context
Robusta chart 0.13.0

[github-actions]

Hi 👋, thanks for opening an issue! Please note, it may take some time for us to respond, but we'll get back to you as soon as we can!

• 💬 Slack Community: Join Robusta team and other contributors on Slack here.
• 📖 Docs: Find our documentation here.
• 🎥 YouTube Channel: Watch our videos here.

[tpaz1]

HI, does it work for you? seeking to achieve the same exact thing

[arikalon1]

hey @tpaz1

What exactly are you trying to achieve?

[tpaz1]

I want Robusta to be able to track secret patching, deletion, ETC.
What I see now is that it is not part of the supported resources in the Docs

[arikalon1]

thanks @tpaz1

We added it on #1499 (we need to add the new triggers to the docs)

You should be able to do it now
you need to:

1. Give Kubewatch the permission to read secrets

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: infra-test
  name: read-secrets-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-secrets-role-binding
subjects:
- kind: ServiceAccount
  name: robusta-forwarder-service-account
  namespace: infra-robusta
roleRef:
  kind: ClusterRole
  name: read-secrets-role
  apiGroup: rbac.authorization.k8s.io

2. Configure Kubewatch to monitor secrets:
   Add to Robusta's generated_values.yaml

kubewatch:
  config:
    namespace: infra-test
    resource:
      secret: true

3. Configure the playbooks that sends a notification when a secret changes:
   Add to Robusta's generated_values.yaml

customPlaybooks:
triggers:
  - on_secret_all_changes: {}
actions:
  - create_finding:
      title: "Secret $name in namespace $namespace was changed"
      aggregation_key: SecretModified

This will send a notification when any secret in the cluster is created/updated/deleted

[tpaz1]

Hi @arikalon1 Thanks for the quick answer!
It works! this tool is amazing so keep up your great work

[arikalon1]

thanks for the update @tpaz1 , and for the kind words
closing the issue