Merge pull request #541 from kubescape/bump

update storage and rbac permissions
kubescape · Nov 22, 2024 · 8b33bba · 8b33bba
2 parents b720039 + f4c4f2f
commit 8b33bba
Show file tree

Hide file tree

Showing 5 changed files with 782 additions and 1,033 deletions.
diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml
@@ -9,14 +9,14 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.23.0
+version: 1.23.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 
-appVersion: 1.23.0
+appVersion: 1.23.1
 
 maintainers:
 - name: Ben Hirschberg

diff --git a/charts/kubescape-operator/templates/storage/clusterrole.yaml b/charts/kubescape-operator/templates/storage/clusterrole.yaml
@@ -8,30 +8,12 @@ metadata:
     {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
 rules:
 - apiGroups: [""]
-  resources: ["configmaps", "endpoints", "namespaces", "nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "secrets", "serviceaccounts", "services"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["apiregistration.k8s.io"]
-  resources: ["apiservices"]
+  resources: ["pods", "services"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["apps"]
   resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["batch"]
   resources: ["cronjobs", "jobs"]
   verbs: ["get", "watch", "list"]
-- apiGroups: ["coordination.k8s.io"]
-  resources: ["leases"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["discovery.k8s.io"]
-  resources: ["endpointslices"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["flowcontrol.apiserver.k8s.io"]
-  resources: ["prioritylevelconfigurations", "flowschemas"]
-  verbs: ["get", "watch", "list"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
-  verbs: ["get", "watch", "list"]
 {{- end }}
diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml
@@ -1,4 +1,5 @@
 {{- $components := fromYaml (include "components" .) }}
+{{- $configurations := fromYaml (include "configurations" .) }}
 {{- if $components.storage.enabled }}
 apiVersion: apps/v1
 kind: Deployment
@@ -72,6 +73,10 @@ spec:
           - name: OTEL_COLLECTOR_SVC
             value: "otel-collector:4317"
           {{- end }}
+          {{- if $configurations.submit }}
+          - name: DISABLE_VIRTUAL_CRDS
+            value: "true"
+          {{- end }}
         volumeMounts:
           - name: "data"
             mountPath: "/data"