Skip to content

fix(rbac): sync agent ClusterRole with helm chart#378

Merged
musa-asad merged 1 commit into
mainfrom
fix/remove-cluster-configmap-get
May 7, 2026
Merged

fix(rbac): sync agent ClusterRole with helm chart#378
musa-asad merged 1 commit into
mainfrom
fix/remove-cluster-configmap-get

Conversation

@musa-asad
Copy link
Copy Markdown
Contributor

@musa-asad musa-asad commented Apr 30, 2026
edited
Loading

Problem

The operator's config/rbac/agent_role.yaml (the ClusterRole applied to the CloudWatch Agent) was out of sync with the helm chart's cloudwatch-agent-clusterrole.yaml. Several resources and rules present in the helm chart were missing from the operator.

Solution

Rewrite agent_role.yaml to match the helm chart's ClusterRole, plus retain the cwagent-clusterleader named resource rule for leader election (since the kustomize path has no separate namespace-scoped Role).

Changes

Difference Before (operator) After
Pod logs missing pods/logs added
Node proxy separate rule merged into main rule
Ingresses missing networking.k8s.io/ingresses added
PVs/PVCs missing persistentvolumeclaims, persistentvolumes added
Configmaps bundled with nodes/stats, events separated into own rule with create, get
Leader election cwagent-clusterleader named rule retained (get, update)

Testing

Unit: operator builds clean, no RBAC-dependent tests affected.

@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from 9081f5c to 168c2c3 Compare April 30, 2026 05:15
@musa-asad musa-asad requested review from TravisStark and sky333999 May 4, 2026 03:59
@musa-asad musa-asad self-assigned this May 4, 2026
@musa-asad musa-asad marked this pull request as ready for review May 4, 2026 03:59
@musa-asad musa-asad changed the title fix(rbac): remove cluster-wide configmap get from CWAgent ClusterRole fix(rbac): sync agent ClusterRole with helm chart May 5, 2026
@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from 168c2c3 to adf7118 Compare May 5, 2026 16:39
@musa-asad
fix(rbac): sync agent ClusterRole with helm chart
0f15bf8 
Bring operator agent_role.yaml into parity with the helm chart's
cloudwatch-agent-clusterrole.yaml.

Changes:
- Add missing resources: pods/logs, nodes/proxy, ingresses, PVs/PVCs
- Separate configmaps into its own rule (blanket get)
- Remove redundant cwagent-clusterleader named configmap rule (covered
  by blanket get + namespace-scoped Role)
@musa-asad musa-asad force-pushed the fix/remove-cluster-configmap-get branch from adf7118 to 0f15bf8 Compare May 5, 2026 17:07
@musa-asad musa-asad mentioned this pull request May 5, 2026
Merged
@musa-asad musa-asad marked this pull request as draft May 6, 2026 03:22
@musa-asad musa-asad removed the request for review from TravisStark May 6, 2026 13:51
@musa-asad musa-asad marked this pull request as ready for review May 6, 2026 13:54
@musa-asad musa-asad requested a review from Paamicky May 6, 2026 13:54
@musa-asad musa-asad requested review from okankoAMZ and removed request for Paamicky May 7, 2026 21:53
@okankoAMZ
Copy link
Copy Markdown
Contributor

okankoAMZ commented May 7, 2026

Can you add link to helm chart rbac in the description

@musa-asad musa-asad merged commit 359ce14 into main May 7, 2026
21 of 22 checks passed
@musa-asad musa-asad deleted the fix/remove-cluster-configmap-get branch May 7, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@okankoAMZ okankoAMZ okankoAMZ approved these changes

@sky333999 sky333999 sky333999 approved these changes

Assignees

@musa-asad musa-asad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@musa-asad @okankoAMZ @sky333999