[metricbeat] Make cluster role rules configurable

metricbeat/README.md

@@ -50,6 +50,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.3.2
 | `imagePullPolicy`        | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value                                                                                                                                                              | `IfNotPresent`                                                                                                            |
 | `imagePullSecrets`       | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image                                                        | `[]`                                                                                                                      |
 | `managedServiceAccount`  | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles.                                                                                                                       | `true`                                                                                                                    |
+| `clusterRoleRules`       | Configurable [cluster role rules](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that Metricbeat uses to access Kubernetes resources.                                                                                                  | see [values.yaml](./values.yaml)                                                                                          |
 | `podAnnotations`         | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Metricbeat pods                                                                                                                                   | `{}`                                                                                                                      |
 | `podSecurityContext`     | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Metricbeat pod execution environment                                                                                                                      | `runAsUser: 0`<br>`privileged: false`                                                                                     |
 | `livenessProbe`          | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds.                                                                                    | `failureThreshold: 3`<br>`initialDelaySeconds: 10`<br>`periodSeconds: 10`<br>`successThreshold: 3`<br>`timeoutSeconds: 5` |

metricbeat/templates/clusterrole.yaml

@@ -8,15 +8,5 @@ metadata:
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - pods
-  - events
-  verbs:
-  - get
-  - list
-  - watch
+rules: {{ toYaml .Values.clusterRoleRules | nindent 2 -}}
 {{- end -}}

metricbeat/tests/metricbeat_test.py

@@ -207,3 +207,26 @@ def test_adding_an_affinity_rule():
     r = helm_template(config)
     assert r['daemonset'][name]['spec']['template']['spec']['affinity']['podAntiAffinity'][
         'requiredDuringSchedulingIgnoredDuringExecution'][0]['topologyKey'] == 'kubernetes.io/hostname'
+
+def test_cluster_role_rules():
+    config = ''
+    r = helm_template(config)
+    rules = r['clusterrole']['release-name-metricbeat-cluster-role']['rules'][0]
+    assert rules['apiGroups'][0] == 'extensions'
+    assert rules['verbs'][0]     == 'get'
+    assert rules['resources'][0] == 'namespaces'
+
+    config = '''
+clusterRoleRules:
+  - apiGroups:
+    - "someone"
+    verbs:
+    - "or"
+    resources:
+    - "something"
+'''
+    r = helm_template(config)
+    rules = r['clusterrole']['release-name-metricbeat-cluster-role']['rules'][0]
+    assert rules['apiGroups'][0] == 'someone'
+    assert rules['verbs'][0]     == 'or'
+    assert rules['resources'][0] == 'something'

metricbeat/values.yaml

@@ -105,6 +105,23 @@ readinessProbe:
 # Whether this chart should self-manage its service account, role, and associated role binding.
 managedServiceAccount: true
 
+clusterRoleRules:
+  - apiGroups:
+    - "extensions"
+    - "apps"
+    - ""
+    resources:
+    - namespaces
+    - pods
+    - events
+    - deployments
+    - nodes
+    - replicasets
+    verbs:
+    - get
+    - list
+    - watch
+
 podAnnotations: {}
   # iam.amazonaws.com/role: es-cluster