Skip to content

Commit

Permalink
[newrelic-infra-operator] Add some comments about RBAC rules
Browse files Browse the repository at this point in the history
So it is easier to figure why certain rules are needed.

Signed-off-by: Mateusz Gozdek <[email protected]>
  • Loading branch information
invidian committed May 7, 2021
1 parent 366356e commit 7dfd2e6
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion charts/newrelic-infra-operator/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,27 @@ metadata:
labels:
{{- include "newrelic-infra-operator.labels" . | nindent 4 }}
rules:
{{/* Allow creating and updating secrets with license key for infra agent. */ -}}
- apiGroups: [""]
resources:
- "secrets"
verbs: ["get", "update", "patch"]
resourceNames: [{{ template "newrelic-infra-operator.fullname" . }}-config]
{{/* resourceNames used above do not support "create" verb. */ -}}
- apiGroups: [""]
resources:
- "secrets"
verbs: ["create"]
{{/* "list" and "watch" are required for controller-runtime caching. */ -}}
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings"]
verbs: ["list", "watch", "get"]
{{/* Our controller needs permission to add the ServiceAccounts from the user to the -infra-agent CRB */ -}}
{{/* Our controller needs permission to add the ServiceAccounts from the user to the -infra-agent CRB. */ -}}
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings"]
verbs: ["update"]
resourceNames: [{{ template "newrelic-infra-operator.fullname" . }}-infra-agent]
{{- /* Controller must have permissions it will grant to other ServiceAccounts. */ -}}
{{- include "newrelic-infra-operator.infra-agent-monitoring-rules" . | nindent 2 }}
---
{{/* infra-agent is the ClusterRole to be used by the injected agents to get metrics */}}
Expand Down

0 comments on commit 7dfd2e6

Please sign in to comment.