Add read-only service account and namespace-scoped RBAC guides#2110
Add read-only service account and namespace-scoped RBAC guides#2110Avi-Robusta wants to merge 6 commits into
Conversation
- Create comprehensive guide for read-only service account mode using customClusterRoleRules - Document namespace-scoped deployment patterns and limitations - Clarify that OpenShift capabilities (SYS_PTRACE, SYS_ADMIN) are optional - Add navigation links for new documentation pages
|
✅ Docker image ready for
Use this tag to pull the image for testing. 📋 Copy commandsgcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:b23d106
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:b23d106 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106Patch Helm values in one line: helm upgrade --install robusta robusta/robusta \
--reuse-values \
--set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:b23d106 |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughAdds a new documentation page describing how to configure Robusta's runner in a read-only service account mode, links it into the setup TOC, clarifies OpenShift privileged SCC guidance, and introduces a ChangesSetup documentation and RBAC override updates
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
docs/setup-robusta/rbac-namespace-scoping.rst (1)
6-23: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd concrete examples for both RBAC patterns.
This page only names the patterns; it never shows the Role/RoleBinding manifests or Helm values needed to implement them. Readers can't apply the guidance from prose alone.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/setup-robusta/rbac-namespace-scoping.rst` around lines 6 - 23, The RBAC scoping guide only describes Pattern 1 and Pattern 2 in prose, so add concrete implementation examples for both using the existing section structure in rb ac-namespace-scoping.rst. Include the actual Role/RoleBinding manifests and the relevant Helm values or deployment settings for the namespace-scoped ServiceAccount and for multiple runners per namespace, so readers can copy the setup directly. Keep the examples aligned with the “Pattern 1” and “Pattern 2” headings and show how to apply them in practice.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/setup-robusta/openshift.rst`:
- Around line 50-53: Remove the claim that the privileged container “must run as
root on the node” from the OpenShift setup text. Update the wording around the
runner service account and the python_debugger, java_debugger, and
node_disk_analyzer playbooks to reflect only the actual SCC requirements
(SYS_ADMIN/SYS_PTRACE and host access) unless a true root requirement is
explicitly documented elsewhere. Keep the guidance aligned with the existing
setup section in openshift.rst and the playbook names referenced there.
In `@docs/setup-robusta/read-only-service-account.rst`:
- Around line 43-67: The default read-only RBAC sample still includes
non-read-only and sensitive permissions. Update the Kubernetes resource list in
the read-only service account example to remove `secrets` and `pods/exec`,
keeping the rest of the `apiGroups`, `resources`, and `verbs` aligned with a
true least-privilege read-only role.
- Around line 35-36: The description of customClusterRoleRules overstates its
effect; it does not fully replace all ClusterRole rules because the chart still
appends built-in baseline rules afterward. Update the wording in the read-only
service account docs to reflect that this parameter only overrides the
customizable rule block, and make sure the explanation near
customClusterRoleRules clearly mentions the default baseline rules remain added
by the chart.
---
Nitpick comments:
In `@docs/setup-robusta/rbac-namespace-scoping.rst`:
- Around line 6-23: The RBAC scoping guide only describes Pattern 1 and Pattern
2 in prose, so add concrete implementation examples for both using the existing
section structure in rb ac-namespace-scoping.rst. Include the actual
Role/RoleBinding manifests and the relevant Helm values or deployment settings
for the namespace-scoped ServiceAccount and for multiple runners per namespace,
so readers can copy the setup directly. Keep the examples aligned with the
“Pattern 1” and “Pattern 2” headings and show how to apply them in practice.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8271b335-5e74-4e04-b8ab-7ef2f1d794e2
📒 Files selected for processing (4)
docs/setup-robusta/index.rstdocs/setup-robusta/openshift.rstdocs/setup-robusta/rbac-namespace-scoping.rstdocs/setup-robusta/read-only-service-account.rst
- Add runner.overrideClusterRoles: when set, its rules fully replace the built-in runner ClusterRole rules (read-only mode); customClusterRoleRules keeps its additive behavior. - Rewrite RBAC docs to use overrideClusterRoles, tighten the read-only sample (drop pods/exec + secrets), and fix verification commands. - Correct the OpenShift privileged SCC root claim (RunAsAny permits but does not mandate root). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/setup-robusta/rbac-namespace-scoping.rst`:
- Around line 32-34: The RBAC namespace-scoping wording in the documentation
incorrectly labels events as cluster-scoped; update the sentence in the affected
paragraph to distinguish the two limits clearly. Reword it so that only
cluster-scoped resources such as nodes and persistentvolumes are described as
unavailable, and state that events remain namespaced and are visible only in the
namespaces bound by the role. Keep the change localized to the namespace-scoping
section and preserve the existing message about tools that rely on cluster-wide
data.
- Line 41: Update the Holmes service account example to use the Helm release
name rather than the hardcoded robusta prefix. In the RBAC namespace scoping
docs, adjust the SA reference near the Holmes service account example so it
matches the default holmes naming pattern from the chart ({{ .Release.Name
}}-holmes-service-account), or present it as
<release-name>-holmes-service-account / a lookup command. Keep the example
consistent with the holmes service account template and avoid implying it only
works for a robusta release.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 17115980-f663-4012-99ab-a5a2656f9034
📒 Files selected for processing (5)
docs/setup-robusta/openshift.rstdocs/setup-robusta/rbac-namespace-scoping.rstdocs/setup-robusta/read-only-service-account.rsthelm/robusta/templates/runner-service-account.yamlhelm/robusta/values.yaml
✅ Files skipped from review due to trivial changes (2)
- docs/setup-robusta/openshift.rst
- docs/setup-robusta/read-only-service-account.rst
Make the guide self-complete: show the helm upgrade command and note it can be combined with the read-only runner. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
This PR adds comprehensive documentation for deploying Robusta with restricted RBAC configurations:
Read-Only Service Account Guide (
read-only-service-account.rst)customClusterRoleRulesconfiguration for read-only modeNamespace-Scoped RBAC Guide (
rbac-namespace-scoping.rst)OpenShift Capabilities Clarification (Updated
openshift.rst)SYS_PTRACEandSYS_ADMINcapabilities are OPTIONALNavigation Updates (Updated
index.rst)Test Plan
Notes
runner.customClusterRoleRulesHelm parameterGenerated by Claude Code