From 41dfee2c8a6106d893116271f13da8276f3b9ab5 Mon Sep 17 00:00:00 2001 From: lisguo Date: Tue, 13 Aug 2024 10:32:44 -0400 Subject: [PATCH 1/5] Set hostNetwork: true for agent --- .../templates/linux/cloudwatch-agent-daemonset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-daemonset.yaml b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-daemonset.yaml index 5b330a6c..693cecb1 100644 --- a/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-daemonset.yaml +++ b/charts/amazon-cloudwatch-observability/templates/linux/cloudwatch-agent-daemonset.yaml @@ -39,6 +39,7 @@ spec: operator: NotIn values: - fargate + hostNetwork: true {{- if .Values.agent.config }} config: {{ include "cloudwatch-agent.modify-config" (merge (dict "Config" .Values.agent.config) . ) }} {{- else }} From ebbee7d5ac869b24f34de53ffc622b7847689934 Mon Sep 17 00:00:00 2001 From: lisguo Date: Tue, 13 Aug 2024 13:52:28 -0400 Subject: [PATCH 2/5] Add restrictive rbac --- .../templates/operator-clusterrole.yaml | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml index 6aeec293..4cef52d4 100644 --- a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml +++ b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml @@ -5,6 +5,7 @@ metadata: rules: - apiGroups: [ "" ] resources: [ "configmaps" ] + resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "cwagent-clusterleader", "dcgm-exporter-config-map", "fluent-bit-config", "fluent-bit-windows-config", "neuron-monitor-config-map", "kube-root-ca.crt"] verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] - apiGroups: [ "" ] resources: [ "events" ] @@ -14,16 +15,25 @@ rules: verbs: [ "get","list","patch","update","watch" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] + resourceNames: [ "amazon-cloudwatch-observability-controller-manager", "cloudwatch-agent", "dcgm-exporter-service-acct", "neuron-monitor-service-acct"] verbs: [ "create","delete","get","list","patch","update","watch" ] - apiGroups: [ "" ] resources: [ "services" ] verbs: [ "create","delete","get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "daemonsets" ] - verbs: [ "create","delete","get","list","patch","update","watch" ] + resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "dcgm-exporter", "fluent-bit", "fluent-bit-windows", "neuron-monitor"] + verbs: [ "create","delete" ] +- apiGroups: [ "apps" ] + resources: [ "daemonsets" ] + verbs: [ "get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "deployments" ] - verbs: [ "create","delete","get","list","patch","update","watch" ] + resourceNames: [ "amazon-cloudwatch-observability-controller-manager" ] + verbs: [ "create","delete" ] +- apiGroups: [ "apps" ] + resources: [ "deployments" ] + verbs: [ "get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "statefulsets" ] verbs: [ "create","delete","get","list","patch","update","watch" ] @@ -41,13 +51,4 @@ rules: verbs: [ "get","patch","update" ] - apiGroups: [ "cloudwatch.aws.amazon.com" ] resources: [ "instrumentations" ] - verbs: [ "get","list","patch","update","watch" ] -- apiGroups: [ "coordination.k8s.io" ] - resources: [ "leases" ] - verbs: [ "create","get","list","update" ] -- apiGroups: [ "networking.k8s.io" ] - resources: [ "ingresses" ] - verbs: [ "create","delete","get","list","patch","update","watch" ] -- apiGroups: [ "route.openshift.io" ] - resources: [ "routes", "routes/custom-host" ] - verbs: [ "create","delete","get","list","patch","update","watch" ] + verbs: [ "get","list","patch","update","watch" ] \ No newline at end of file From 22f94d73ec57d2c19bd245825257140404c159ce Mon Sep 17 00:00:00 2001 From: lisguo Date: Wed, 14 Aug 2024 11:15:02 -0400 Subject: [PATCH 3/5] Fix some permissions that are needed by operator --- .../templates/operator-clusterrole.yaml | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml index 4cef52d4..aa968025 100644 --- a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml +++ b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml @@ -3,37 +3,35 @@ kind: ClusterRole metadata: name: {{ template "amazon-cloudwatch-observability.name" . }}-manager-role rules: +- apiGroups: [ "" ] + resources: [ "configmaps" ] + verbs: [ "create", "delete", "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "configmaps" ] resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "cwagent-clusterleader", "dcgm-exporter-config-map", "fluent-bit-config", "fluent-bit-windows-config", "neuron-monitor-config-map", "kube-root-ca.crt"] - verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ] + verbs: [ "patch", "update" ] - apiGroups: [ "" ] resources: [ "events" ] verbs: [ "create", "patch" ] - apiGroups: [ "" ] resources: [ "namespaces" ] verbs: [ "get","list","patch","update","watch" ] +- apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "create","delete", "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] resourceNames: [ "amazon-cloudwatch-observability-controller-manager", "cloudwatch-agent", "dcgm-exporter-service-acct", "neuron-monitor-service-acct"] - verbs: [ "create","delete","get","list","patch","update","watch" ] + verbs: ["patch","update" ] - apiGroups: [ "" ] resources: [ "services" ] verbs: [ "create","delete","get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "daemonsets" ] - resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "dcgm-exporter", "fluent-bit", "fluent-bit-windows", "neuron-monitor"] - verbs: [ "create","delete" ] -- apiGroups: [ "apps" ] - resources: [ "daemonsets" ] - verbs: [ "get","list","patch","update","watch" ] + verbs: [ "create","delete", "get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "deployments" ] - resourceNames: [ "amazon-cloudwatch-observability-controller-manager" ] - verbs: [ "create","delete" ] -- apiGroups: [ "apps" ] - resources: [ "deployments" ] - verbs: [ "get","list","patch","update","watch" ] + verbs: [ "create","delete", "get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "statefulsets" ] verbs: [ "create","delete","get","list","patch","update","watch" ] From 26ae844b816fc5e628102625ad23485c693d889b Mon Sep 17 00:00:00 2001 From: lisguo Date: Wed, 14 Aug 2024 14:23:18 -0400 Subject: [PATCH 4/5] Restrict service permissions --- .../templates/operator-clusterrole.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml index aa968025..fc13a072 100644 --- a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml +++ b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml @@ -25,13 +25,17 @@ rules: verbs: ["patch","update" ] - apiGroups: [ "" ] resources: [ "services" ] - verbs: [ "create","delete","get","list","patch","update","watch" ] + verbs: [ "create","delete","get","list","watch" ] +- apiGroups: [ "" ] + resources: [ "services" ] + resourceNames: [ "amazon-cloudwatch-observability-webhook-service", "cloudwatch-agent", "cloudwatch-agent-headless", "cloudwatch-agent-monitoring", "cloudwatch-agent-windows", "cloudwatch-agent-windows-headless", "cloudwatch-agent-windows-monitoring", "dcgm-exporter-service", "neuron-monitor-service" ] + verbs: [ "patch","update" ] - apiGroups: [ "apps" ] resources: [ "daemonsets" ] - verbs: [ "create","delete", "get","list","patch","update","watch" ] + verbs: [ "create","delete","get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "deployments" ] - verbs: [ "create","delete", "get","list","patch","update","watch" ] + verbs: [ "create","delete","get","list","patch","update","watch" ] - apiGroups: [ "apps" ] resources: [ "statefulsets" ] verbs: [ "create","delete","get","list","patch","update","watch" ] From b1d5f3097db3cef10d3d745d769036ad29603911 Mon Sep 17 00:00:00 2001 From: lisguo Date: Thu, 15 Aug 2024 12:49:13 -0400 Subject: [PATCH 5/5] Modify rbac to only delete cloudwatch resources --- .../templates/operator-clusterrole.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml index fc13a072..27d48ab0 100644 --- a/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml +++ b/charts/amazon-cloudwatch-observability/templates/operator-clusterrole.yaml @@ -5,31 +5,31 @@ metadata: rules: - apiGroups: [ "" ] resources: [ "configmaps" ] - verbs: [ "create", "delete", "get", "list", "watch" ] + verbs: [ "create","get","list", "watch" ] - apiGroups: [ "" ] resources: [ "configmaps" ] resourceNames: ["cloudwatch-agent", "cloudwatch-agent-windows", "cwagent-clusterleader", "dcgm-exporter-config-map", "fluent-bit-config", "fluent-bit-windows-config", "neuron-monitor-config-map", "kube-root-ca.crt"] - verbs: [ "patch", "update" ] + verbs: [ "delete","patch","update" ] - apiGroups: [ "" ] resources: [ "events" ] - verbs: [ "create", "patch" ] + verbs: [ "create","patch" ] - apiGroups: [ "" ] resources: [ "namespaces" ] verbs: [ "get","list","patch","update","watch" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] - verbs: [ "create","delete", "get", "list", "watch" ] + verbs: [ "create","get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] resourceNames: [ "amazon-cloudwatch-observability-controller-manager", "cloudwatch-agent", "dcgm-exporter-service-acct", "neuron-monitor-service-acct"] - verbs: ["patch","update" ] + verbs: ["delete","patch","update" ] - apiGroups: [ "" ] resources: [ "services" ] - verbs: [ "create","delete","get","list","watch" ] + verbs: [ "create","get","list","watch" ] - apiGroups: [ "" ] resources: [ "services" ] resourceNames: [ "amazon-cloudwatch-observability-webhook-service", "cloudwatch-agent", "cloudwatch-agent-headless", "cloudwatch-agent-monitoring", "cloudwatch-agent-windows", "cloudwatch-agent-windows-headless", "cloudwatch-agent-windows-monitoring", "dcgm-exporter-service", "neuron-monitor-service" ] - verbs: [ "patch","update" ] + verbs: [ "delete","patch","update" ] - apiGroups: [ "apps" ] resources: [ "daemonsets" ] verbs: [ "create","delete","get","list","patch","update","watch" ]