Skip to content

vmagent and vmsingle: updated RBAC#2364

Open
AndrewChubatiuk wants to merge 1 commit into
masterfrom
update-rbac-for-vmagent-and-vlagent
Open

vmagent and vmsingle: updated RBAC#2364
AndrewChubatiuk wants to merge 1 commit into
masterfrom
update-rbac-for-vmagent-and-vlagent

Conversation

@AndrewChubatiuk

@AndrewChubatiuk AndrewChubatiuk commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

updated VMAgent and VMSingle RBAC:

  • with watchNamespace set create role/rolebinding per each namespace
  • remove configmap permissions
  • limit secrets permissions to secret with resource prefixed name and in a certain namespace

introduced VM_CLUSTERWIDE_RBAC_ALLOWED_NAMESPACES to set allowed namespaces, where CRs with cluster access can be created. right now it only throws warnings (temporary to avoid breaking changes) if not set and error if it's set, but resource that requires cluster wide permissions is deployed outside a list of allowed namespaces

@AndrewChubatiuk AndrewChubatiuk requested a review from vrutkovs as a code owner July 3, 2026 15:15
@AndrewChubatiuk AndrewChubatiuk force-pushed the update-rbac-for-vmagent-and-vlagent branch from c7ba94f to 4d7a12e Compare July 3, 2026 15:15

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found and verified against the latest diff

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread internal/controller/operator/factory/vlagent/rbac.go Outdated
Comment thread internal/controller/operator/factory/vmagent/rbac.go Outdated
@AndrewChubatiuk AndrewChubatiuk force-pushed the update-rbac-for-vmagent-and-vlagent branch from 4d7a12e to 4c2f559 Compare July 3, 2026 15:41
if err := ensureCRBExist(ctx, rclient, cr, prevCR); err != nil {
return fmt.Errorf("cannot ensure state of vmagent's cluster role binding: %w", err)
}
// Secrets access must be namespace-scoped even in cluster-wide mode to prevent

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking functional change - for instance, you can no longer reuse the same license across multiple namespaces

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not, operator collects secrets from all scrape configurations and remote writes and writes them all together into a single secret. for license operator just mounts a secret to a pod, it means it already should be in the same namespace. no changes here

func buildRole(cr *vmv1beta1.VMAgent) *rbacv1.Role {
return &rbacv1.Role{
// buildRole builds the Role for ns.
// In cr's own namespace: includes the scoped secrets rule (for config-reloader) plus SD rules,

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would also be a functionally breaking change - a single VMAgent can't scrape targets across namespaces with secrets?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

watch namespace supports a list of namespaces, but currently vmagent can only access secrets in a namespace it resides, which is not valid.

// buildRole builds the Role for ns.
// In cr's own namespace: includes the scoped secrets rule (for config-reloader) plus SD rules,
// with an owner reference so K8s GC cleans it up.
// In any other watched namespace: SD rules only, no owner reference.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be problematic for garbage collector

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, same as other resources, namespaced resources have owner references, so even for some reason they were not removed they will be purged during CR removal

"nodes",
},
Verbs: []string{"get", "list", "watch"},
Resources: []string{"pods", "namespaces"},

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would still be a cluster-wide rule to access all pods in all namespaces

@AndrewChubatiuk AndrewChubatiuk Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, just removed nodes permissions if it's not needed.

actually removed these changes, nodes permissions are required unconditionally

@AndrewChubatiuk AndrewChubatiuk changed the title vmagent/vlagent: updated RBAC vmagent: updated RBAC Jul 3, 2026
@AndrewChubatiuk AndrewChubatiuk force-pushed the update-rbac-for-vmagent-and-vlagent branch 3 times, most recently from c5bf4ec to 1fcb2ba Compare July 4, 2026 05:46
@AndrewChubatiuk AndrewChubatiuk force-pushed the update-rbac-for-vmagent-and-vlagent branch from 1fcb2ba to d434323 Compare July 4, 2026 06:12
@AndrewChubatiuk AndrewChubatiuk changed the title vmagent: updated RBAC vmagent and vmsingle: updated RBAC Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants