Fix permissions for listing and updating cronjobs

hardbyte · Apr 10, 2024 · d288d8b · d288d8b
1 parent 34419e3
commit d288d8b
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 81 deletions.
diff --git a/docs/src/pages/docs/external-data.md b/docs/src/pages/docs/external-data.md
@@ -256,3 +256,30 @@ spec:
         message: Http request with header to pie.dev service should reply with header value
         pattern: "parse_json(data.body).headers['X-Netcheck-Header'] == somecontext.API_TOKEN"
 ```
+
+## Override Service Account for a 
+
+Netchecks probes run using the ``default`` service account in the target namespace. In 
+some environments you will need to create ServiceAccounts for your probes and grant permissions to the service account using RBAC. Many custom overrides for the generated
+Job/CronJob can be achieved using the Network Assertion ``template``:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netcheck-test-probe-account
+  labels:
+    app.kubernetes.io/instance: netchecks
+---
+apiVersion: netchecks.io/v1
+kind: NetworkAssertion
+metadata:
+  name: custom-service-account
+  annotations:
+    description: Probe with custom service account
+spec:
+  template:
+    spec:
+      serviceAccountName: netcheck-test-probe-account
+  rules: []
+```
diff --git a/operator/charts/netchecks/templates/clusterrole.yaml b/operator/charts/netchecks/templates/clusterrole.yaml
@@ -41,12 +41,12 @@ rules:
   # The operator can create and delete CronJobs & Jobs
   - apiGroups: [batch, extensions]
     resources: [jobs, cronjobs]
-    verbs: [create, delete]
+    verbs: [create, list, get, update, delete]
 
-  # We directly create and update config maps for probes.
+  # We directly create, update and delete config maps for probes.
   - apiGroups: [""]
     resources: [configmaps]
-    verbs: [list, get, patch, create, update, watch]
+    verbs: [list, get, patch, create, update, delete]
 
   # TODO: see if we can restrict this to our operator namespace
   - apiGroups: [""]

diff --git a/operator/netchecks_operator/main.py b/operator/netchecks_operator/main.py
@@ -638,7 +638,7 @@ def create_job_spec(
         context_name = context_definition["name"]
 
         # Would be great to use Kubernetes client to generate/validate this
-        # For now we assume ConfigMap, later support Secret here too
+        # For now we assume ConfigMap or Secret
         if "configMap" in context_definition:
             volumes.append(
                 V1Volume(