Skip to content

Add read-only service account and namespace-scoped RBAC guides#2110

Open
Avi-Robusta wants to merge 6 commits into
masterfrom
claude/read-only-service-account-guide-stkig0
Open

Add read-only service account and namespace-scoped RBAC guides#2110
Avi-Robusta wants to merge 6 commits into
masterfrom
claude/read-only-service-account-guide-stkig0

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

Summary

This PR adds comprehensive documentation for deploying Robusta with restricted RBAC configurations:

  1. Read-Only Service Account Guide (read-only-service-account.rst)

    • Explains use cases (prevent accidental modifications, compliance, audit-only mode)
    • Documents limitations (no auto-remediation, no pod restart, no node drain)
    • Provides complete customClusterRoleRules configuration for read-only mode
    • Includes verification and testing instructions
    • Lists all read-only compatible features (KRR, Popeye, log analysis, etc.)
  2. Namespace-Scoped RBAC Guide (rbac-namespace-scoping.rst)

    • Explains two patterns: single namespace SA with cluster-wide role, and multi-runner per namespace
    • Documents limitations of namespace-scoped access
    • Provides implementation examples for both patterns
    • Includes recommendations for different use cases
  3. OpenShift Capabilities Clarification (Updated openshift.rst)

    • Clarifies that SYS_PTRACE and SYS_ADMIN capabilities are OPTIONAL
    • Lists which features require privileged SCC (debugging playbooks only)
    • Lists which features work with baseline SCC (investigations, KRR, Popeye, etc.)
    • Helps users understand when privileged SCC is actually needed
  4. Navigation Updates (Updated index.rst)

    • Added new documentation pages to the table of contents

Test Plan

  • Documentation is clear and actionable
  • Code examples are copy-paste ready
  • YAML configurations are valid and tested against helm chart parameters
  • Limitations are clearly documented
  • Links and cross-references are correct

Notes

  • Read-only mode is fully supported via the existing runner.customClusterRoleRules Helm parameter
  • The guides clarify that KRR scans, Popeye scans, and other diagnostic features work in read-only mode
  • OpenShift capabilities clarification helps users avoid unnecessary privilege escalation
  • These guides address the request to prevent users from draining/restarting nodes while maintaining other functionality

Generated by Claude Code

- Create comprehensive guide for read-only service account mode using customClusterRoleRules
- Document namespace-scoped deployment patterns and limitations
- Clarify that OpenShift capabilities (SYS_PTRACE, SYS_ADMIN) are optional
- Add navigation links for new documentation pages
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Docker image ready for b23d106 (built in 32s)

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:b23d106
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:b23d106 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9e2425d3-4bf3-4d39-8bee-fe22e6195dc0

📥 Commits

Reviewing files that changed from the base of the PR and between d6405fe and ca8f039.

📒 Files selected for processing (1)
  • docs/setup-robusta/index.rst
✅ Files skipped from review due to trivial changes (1)
  • docs/setup-robusta/index.rst

Walkthrough

Adds a new documentation page describing how to configure Robusta's runner in a read-only service account mode, links it into the setup TOC, clarifies OpenShift privileged SCC guidance, and introduces a runner.overrideClusterRoles Helm value that replaces built-in ClusterRole rules when set.

Changes

Setup documentation and RBAC override updates

Layer / File(s) Summary
Runner RBAC override wiring
helm/robusta/values.yaml, helm/robusta/templates/runner-service-account.yaml
Adds runner.overrideClusterRoles value and updates the ClusterRole template to render its rules instead of built-in/custom rules when set.
Read-only service account guide
docs/setup-robusta/read-only-service-account.rst
New page explaining read-only runner mode, disabled features, overrideClusterRoles YAML example, Helm install steps, and post-install verification via `kubectl auth can-i`.
Setup index and OpenShift updates
docs/setup-robusta/index.rst, docs/setup-robusta/openshift.rst
Adds the new page to the setup TOC and clarifies OpenShift privileged SCC requirements, debug container capabilities, and Helm example.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: moshemorad

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main docs update around read-only RBAC, though it also mentions namespace-scoped guides not shown in the change summary.
Description check ✅ Passed The description is clearly about the same documentation and RBAC/OpenShift updates reflected in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/read-only-service-account-guide-stkig0

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
docs/setup-robusta/rbac-namespace-scoping.rst (1)

6-23: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add concrete examples for both RBAC patterns.

This page only names the patterns; it never shows the Role/RoleBinding manifests or Helm values needed to implement them. Readers can't apply the guidance from prose alone.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/setup-robusta/rbac-namespace-scoping.rst` around lines 6 - 23, The RBAC
scoping guide only describes Pattern 1 and Pattern 2 in prose, so add concrete
implementation examples for both using the existing section structure in rb
ac-namespace-scoping.rst. Include the actual Role/RoleBinding manifests and the
relevant Helm values or deployment settings for the namespace-scoped
ServiceAccount and for multiple runners per namespace, so readers can copy the
setup directly. Keep the examples aligned with the “Pattern 1” and “Pattern 2”
headings and show how to apply them in practice.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/setup-robusta/openshift.rst`:
- Around line 50-53: Remove the claim that the privileged container “must run as
root on the node” from the OpenShift setup text. Update the wording around the
runner service account and the python_debugger, java_debugger, and
node_disk_analyzer playbooks to reflect only the actual SCC requirements
(SYS_ADMIN/SYS_PTRACE and host access) unless a true root requirement is
explicitly documented elsewhere. Keep the guidance aligned with the existing
setup section in openshift.rst and the playbook names referenced there.

In `@docs/setup-robusta/read-only-service-account.rst`:
- Around line 43-67: The default read-only RBAC sample still includes
non-read-only and sensitive permissions. Update the Kubernetes resource list in
the read-only service account example to remove `secrets` and `pods/exec`,
keeping the rest of the `apiGroups`, `resources`, and `verbs` aligned with a
true least-privilege read-only role.
- Around line 35-36: The description of customClusterRoleRules overstates its
effect; it does not fully replace all ClusterRole rules because the chart still
appends built-in baseline rules afterward. Update the wording in the read-only
service account docs to reflect that this parameter only overrides the
customizable rule block, and make sure the explanation near
customClusterRoleRules clearly mentions the default baseline rules remain added
by the chart.

---

Nitpick comments:
In `@docs/setup-robusta/rbac-namespace-scoping.rst`:
- Around line 6-23: The RBAC scoping guide only describes Pattern 1 and Pattern
2 in prose, so add concrete implementation examples for both using the existing
section structure in rb ac-namespace-scoping.rst. Include the actual
Role/RoleBinding manifests and the relevant Helm values or deployment settings
for the namespace-scoped ServiceAccount and for multiple runners per namespace,
so readers can copy the setup directly. Keep the examples aligned with the
“Pattern 1” and “Pattern 2” headings and show how to apply them in practice.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8271b335-5e74-4e04-b8ab-7ef2f1d794e2

📥 Commits

Reviewing files that changed from the base of the PR and between a940953 and a994e20.

📒 Files selected for processing (4)
  • docs/setup-robusta/index.rst
  • docs/setup-robusta/openshift.rst
  • docs/setup-robusta/rbac-namespace-scoping.rst
  • docs/setup-robusta/read-only-service-account.rst

Comment thread docs/setup-robusta/openshift.rst Outdated
Comment thread docs/setup-robusta/read-only-service-account.rst Outdated
Comment thread docs/setup-robusta/read-only-service-account.rst
- Add runner.overrideClusterRoles: when set, its rules fully replace the built-in runner ClusterRole rules (read-only mode); customClusterRoleRules keeps its additive behavior.

- Rewrite RBAC docs to use overrideClusterRoles, tighten the read-only sample (drop pods/exec + secrets), and fix verification commands.

- Correct the OpenShift privileged SCC root claim (RunAsAny permits but does not mandate root).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/setup-robusta/rbac-namespace-scoping.rst`:
- Around line 32-34: The RBAC namespace-scoping wording in the documentation
incorrectly labels events as cluster-scoped; update the sentence in the affected
paragraph to distinguish the two limits clearly. Reword it so that only
cluster-scoped resources such as nodes and persistentvolumes are described as
unavailable, and state that events remain namespaced and are visible only in the
namespaces bound by the role. Keep the change localized to the namespace-scoping
section and preserve the existing message about tools that rely on cluster-wide
data.
- Line 41: Update the Holmes service account example to use the Helm release
name rather than the hardcoded robusta prefix. In the RBAC namespace scoping
docs, adjust the SA reference near the Holmes service account example so it
matches the default holmes naming pattern from the chart ({{ .Release.Name
}}-holmes-service-account), or present it as
<release-name>-holmes-service-account / a lookup command. Keep the example
consistent with the holmes service account template and avoid implying it only
works for a robusta release.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 17115980-f663-4012-99ab-a5a2656f9034

📥 Commits

Reviewing files that changed from the base of the PR and between a994e20 and 3d7bfe9.

📒 Files selected for processing (5)
  • docs/setup-robusta/openshift.rst
  • docs/setup-robusta/rbac-namespace-scoping.rst
  • docs/setup-robusta/read-only-service-account.rst
  • helm/robusta/templates/runner-service-account.yaml
  • helm/robusta/values.yaml
✅ Files skipped from review due to trivial changes (2)
  • docs/setup-robusta/openshift.rst
  • docs/setup-robusta/read-only-service-account.rst

Comment thread docs/setup-robusta/rbac-namespace-scoping.rst Outdated
Comment thread docs/setup-robusta/rbac-namespace-scoping.rst Outdated
Avi-Robusta and others added 4 commits July 1, 2026 16:54
Make the guide self-complete: show the helm upgrade command and note it can be combined with the read-only runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants