Skip to content

fix(rbac): sync agent ClusterRole with helm chart#378

Draft
musa-asad wants to merge 1 commit intomainfrom
fix/remove-cluster-configmap-get
Draft

fix(rbac): sync agent ClusterRole with helm chart#378
musa-asad wants to merge 1 commit intomainfrom
fix/remove-cluster-configmap-get

Conversation

@musa-asad
Copy link
Copy Markdown
Contributor

@musa-asad musa-asad commented Apr 30, 2026
edited
Loading

Problem

The operator's config/rbac/agent_role.yaml (the ClusterRole applied to the CloudWatch Agent) was out of sync with the helm chart's cloudwatch-agent-clusterrole.yaml. Several resources and rules present in the helm chart were missing from the operator.

Solution

Rewrite agent_role.yaml to match the helm chart's ClusterRole, plus retain the cwagent-clusterleader named resource rule for leader election (since the kustomize path has no separate namespace-scoped Role).

Changes

Difference Before (operator) After
Pod logs missing pods/logs added
Node proxy separate rule merged into main rule
Ingresses missing networking.k8s.io/ingresses added
PVs/PVCs missing persistentvolumeclaims, persistentvolumes added
Configmaps bundled with nodes/stats, events separated into own rule with create, get
Leader election cwagent-clusterleader named rule retained (get, update)

Testing

Unit: operator builds clean, no RBAC-dependent tests affected.

@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from 9081f5c to 168c2c3 Compare April 30, 2026 05:15
@musa-asad musa-asad requested review from TravisStark and sky333999 May 4, 2026 03:59
@musa-asad musa-asad self-assigned this May 4, 2026
@musa-asad musa-asad marked this pull request as ready for review May 4, 2026 03:59
@musa-asad musa-asad changed the title fix(rbac): remove cluster-wide configmap get from CWAgent ClusterRole fix(rbac): sync agent ClusterRole with helm chart May 5, 2026
@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from 168c2c3 to adf7118 Compare May 5, 2026 16:39
@musa-asad
fix(rbac): sync agent ClusterRole with helm chart
0f15bf8 
Bring operator agent_role.yaml into parity with the helm chart's
cloudwatch-agent-clusterrole.yaml.

Changes:
- Add missing resources: pods/logs, nodes/proxy, ingresses, PVs/PVCs
- Separate configmaps into its own rule (blanket get)
- Remove redundant cwagent-clusterleader named configmap rule (covered
  by blanket get + namespace-scoped Role)
@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from adf7118 to 0f15bf8 Compare May 5, 2026 17:07
@musa-asad musa-asad mentioned this pull request May 5, 2026
Open
@musa-asad musa-asad marked this pull request as draft May 6, 2026 03:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TravisStark TravisStark Awaiting requested review from TravisStark

@sky333999 sky333999 Awaiting requested review from sky333999

At least 2 approving reviews are required to merge this pull request.

Assignees

@musa-asad musa-asad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@musa-asad