-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce a restricted role for APM agent configuration #3155
Conversation
ApmAgentUserRole: esclient.Role{ | ||
Cluster: []string{}, | ||
Indices: []esclient.IndexRole{}, | ||
Applications: []esclient.ApplicationRole{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm 👍
fyi: In parallel I'm working on improving this by making this behaviour default for the apm_user
role: elastic/elasticsearch#57201.
It might not be available until 8.0 (so still quite a long way out) but better than never.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but let's also wait for feedback from @sqren
While working on the e2e tests I noticed that something seems to be broken in |
apm.Spec.KibanaRef = commonv1.ObjectSelector{Name: "kbname", Namespace: "kbns"} | ||
return serialize(t, apm) | ||
}, | ||
Check: test.ValidationWebhookFailed( | ||
`spec.kibanaRef: Forbidden: required version for Kibana association is 7.3.0 but desired version is 7.2.0`, | ||
`spec.kibanaRef: Forbidden: required version for Kibana association is 7.5.1 but desired version is 7.4.0`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Late nit: should read "minimum required version..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback, I'll fix this as part of #3154
Late comment: I wonder if we want to update our compatibility docs. I think we might not have to since it was only GA in 7.5 |
While doing some manual testing with the APM Agent configuration I realized that the
kibana_user
role used in #3043 does not work for 7.3 and 7.4This PR:
This PR has been tested with 7.5.2 , 7.6.2 and 7.7.0