From 0f15bf84240a3e7afd57d410430cb0658a09b1f9 Mon Sep 17 00:00:00 2001 From: Musa Asad Date: Tue, 5 May 2026 15:46:28 +0000 Subject: [PATCH] fix(rbac): sync agent ClusterRole with helm chart Bring operator agent_role.yaml into parity with the helm chart's cloudwatch-agent-clusterrole.yaml. Changes: - Add missing resources: pods/logs, nodes/proxy, ingresses, PVs/PVCs - Separate configmaps into its own rule (blanket get) - Remove redundant cwagent-clusterleader named configmap rule (covered by blanket get + namespace-scoped Role) --- config/rbac/agent_role.yaml | 60 ++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/config/rbac/agent_role.yaml b/config/rbac/agent_role.yaml index feb29bcaf..25a42ae3d 100644 --- a/config/rbac/agent_role.yaml +++ b/config/rbac/agent_role.yaml @@ -3,30 +3,36 @@ kind: ClusterRole metadata: name: agent-role rules: - - apiGroups: [""] - resources: ["pods", "nodes", "namespaces", "endpoints"] - verbs: ["list", "watch", "get"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["list", "watch", "get"] - - apiGroups: [""] - resources: ["services"] - verbs: ["list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets", "daemonsets", "deployments", "statefulsets"] - verbs: ["list", "watch", "get"] - - apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["list", "watch"] - - apiGroups: [""] - resources: ["nodes/proxy"] - verbs: ["get"] - - apiGroups: [""] - resources: ["nodes/stats", "configmaps", "events"] - verbs: ["create", "get"] - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cwagent-clusterleader"] - verbs: ["get","update"] - - nonResourceURLs: ["/metrics"] - verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["pods", "pods/logs", "nodes", "nodes/proxy", "namespaces", "endpoints"] + verbs: ["list", "watch", "get"] +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list", "watch", "get"] +- apiGroups: [""] + resources: ["services"] + verbs: ["list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets", "daemonsets", "deployments", "statefulsets"] + verbs: ["list", "watch", "get"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "watch"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["list", "watch", "get"] +- apiGroups: [""] + resources: ["nodes/stats", "events"] + verbs: ["create", "get"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get"] +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cwagent-clusterleader"] + verbs: ["get", "update"] +- apiGroups: [""] + resources: ["persistentvolumeclaims", "persistentvolumes"] + verbs: ["get", "list", "watch"] +- nonResourceURLs: ["/metrics"] + verbs: ["get", "list", "watch"]