From 8b414d5bdbba60bd4d07c34696182bc0e76750c9 Mon Sep 17 00:00:00 2001 From: Aryan-sharma11 Date: Mon, 12 Aug 2024 12:04:25 +0530 Subject: [PATCH 1/2] fix crio in CI Signed-off-by: Aryan-sharma11 --- contribution/self-managed-k8s/crio/install_crio.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/contribution/self-managed-k8s/crio/install_crio.sh b/contribution/self-managed-k8s/crio/install_crio.sh index 1fedb9ba01..d104dcf4b8 100755 --- a/contribution/self-managed-k8s/crio/install_crio.sh +++ b/contribution/self-managed-k8s/crio/install_crio.sh @@ -24,6 +24,7 @@ echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.i # install sudo apt-get update sudo apt-get install -y cri-o +sudo dpkg -i --force-overwrite /var/cache/apt/archives/cri-o_*.deb # this option is not supported in ubuntu 18.04 if [ "$VERSION_ID" == "18.04" ]; then From 68bf042386eeafd2a76357019e224361f2a5c30f Mon Sep 17 00:00:00 2001 From: Aryan-sharma11 Date: Mon, 12 Aug 2024 16:20:12 +0530 Subject: [PATCH 2/2] update permissions required by kubearmor daemonset Signed-off-by: Aryan-sharma11 --- deployments/get/objects.go | 13 +++++++++---- .../helm/KubeArmor/templates/RBAC/roles.yaml | 16 +++++++++------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 102697604d..c7c5a44b2e 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -43,18 +43,23 @@ func GetClusterRole() *rbacv1.ClusterRole { Rules: []rbacv1.PolicyRule{ { APIGroups: []string{""}, - Resources: []string{"pods", "nodes", "namespaces", "configmaps"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Resources: []string{"namespaces"}, + Verbs: []string{"get", "list", "watch", "update"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"pods", "nodes", "configmaps"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"apps"}, Resources: []string{"deployments", "replicasets", "daemonsets", "statefulsets"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"batch"}, Resources: []string{"jobs", "cronjobs"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"security.kubearmor.com"}, diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml index dc96cd7017..9d2a2b4e97 100644 --- a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml +++ b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml @@ -3,19 +3,25 @@ kind: ClusterRole metadata: name: kubearmor-clusterrole rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - update - apiGroups: - "" resources: - pods - nodes - - namespaces - configmaps verbs: - get - - patch - list - watch - - update - apiGroups: - apps resources: @@ -25,10 +31,8 @@ rules: - statefulsets verbs: - get - - patch - list - watch - - update - apiGroups: - batch resources: @@ -36,10 +40,8 @@ rules: - cronjobs verbs: - get - - patch - list - watch - - update - apiGroups: - security.kubearmor.com resources: