Also allow for the RBAC rules to be modified

Signed-off-by: Pete Wall <[email protected]>

Author: petewall

operations/helm/charts/alloy/CHANGELOG.md

@@ -8,9 +8,12 @@ changes that impact end-user behavior are listed; changes to documentation or
 internal API changes are not present.
 
 Unreleased
-----------
-- Add NetworkPolicy support. (@TheRealNoob)
 
+### Enhancements
+
+- Add NetworkPolicy support. (@TheRealNoob)
+- Allow for creating Roles and RoleBindings instead of ClusterRoles and ClusterRoleBindings. (@petewall)
+- Allow for customizing the specific RBAC rules being created. (@petewall)
 
 1.1.1 (2025-06-05)
 ----------

operations/helm/charts/alloy/README.md

@@ -157,6 +157,12 @@ useful if just using the default DaemonSet isn't sufficient.
 | networkPolicy.policyTypes[1] | string | `"Egress"` |  |
 | rbac.create | bool | `true` | Whether to create RBAC resources for Alloy. |
 | rbac.namespaces | list | `[]` | If set, only create Roles and RoleBindings in the given list of namespaces, rather than ClusterRoles and ClusterRoleBindings. |
+| rbac.rules | list | `[{"apiGroups":["","discovery.k8s.io","networking.k8s.io"],"resources":["endpoints","endpointslices","ingresses","nodes","nodes/proxy","nodes/metrics","pods","services"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["pods","pods/log","namespaces"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.grafana.com"],"resources":["podlogs"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["prometheusrules"],"verbs":["get","list","watch"]},{"apiGroups":["monitoring.coreos.com"],"resources":["podmonitors","servicemonitors","probes","scrapeconfigs"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["configmaps","secrets"],"verbs":["get","list","watch"]},{"apiGroups":["apps","extensions"],"resources":["replicasets"],"verbs":["get","list","watch"]}]` | The rules to create for the ClusterRole or Role objects. |
+| rbac.rules[0] | object | `{"apiGroups":["","discovery.k8s.io","networking.k8s.io"],"resources":["endpoints","endpointslices","ingresses","nodes","nodes/proxy","nodes/metrics","pods","services"],"verbs":["get","list","watch"]}` | Rules required for the `discovery.kubernetes` component. |
+| rbac.rules[1] | object | `{"apiGroups":[""],"resources":["pods","pods/log","namespaces"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.kubernetes` component. |
+| rbac.rules[2] | object | `{"apiGroups":["monitoring.grafana.com"],"resources":["podlogs"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.podlogs` component. |
+| rbac.rules[3] | object | `{"apiGroups":["monitoring.coreos.com"],"resources":["prometheusrules"],"verbs":["get","list","watch"]}` | Rules required for the `mimir.rules.kubernetes` component. |
+| rbac.rules[5] | object | `{"apiGroups":[""],"resources":["events"],"verbs":["get","list","watch"]}` | Rules required for the `loki.source.kubernetes_events` component. |
 | service.annotations | object | `{}` |  |
 | service.clusterIP | string | `""` | Cluster IP, can be set to None, empty "" or an IP address |
 | service.enabled | bool | `true` | Creates a Service for the controller's pods. |

operations/helm/charts/alloy/ci/rbac-rules-values.yaml

@@ -0,0 +1,12 @@
+# Specify the namespaces for Roles and RoleBindings
+rbac:
+  create: true
+  rules:
+    # -- Rules required for the `discovery.kubernetes` component.
+    - apiGroups: ["", "discovery.k8s.io", "networking.k8s.io"]
+      resources: ["endpoints", "endpointslices", "ingresses", "nodes", "nodes/proxy", "nodes/metrics", "pods", "services"]
+      verbs: ["get", "list", "watch"]
+    # Rules for the `prometheus.operator.*` components.
+    - apiGroups: ["monitoring.coreos.com"]
+      resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
+      verbs: ["get", "list", "watch"]

operations/helm/charts/alloy/templates/rbac.yaml

@@ -1,45 +1,3 @@
-{{- define "alloy.rbac.rules.resourced" -}}
-# Rules which allow discovery.kubernetes to function.
-- apiGroups: ["", "discovery.k8s.io", "networking.k8s.io"]
-  resources: ["endpoints", "endpointslices", "ingresses", "nodes", "nodes/proxy", "nodes/metrics", "pods", "services"]
-  verbs: ["get", "list", "watch"]
-# Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
-- apiGroups: [""]
-  resources: ["pods", "pods/log", "namespaces"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["monitoring.grafana.com"]
-  resources: ["podlogs"]
-  verbs: ["get", "list", "watch"]
-# Rules which allow mimir.rules.kubernetes to work.
-- apiGroups: ["monitoring.coreos.com"]
-  resources: ["prometheusrules"]
-  verbs: ["get", "list", "watch"]
-# Rules for prometheus.kubernetes.*
-- apiGroups: ["monitoring.coreos.com"]
-  resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
-  verbs: ["get", "list", "watch"]
-# Rules which allow eventhandler to work.
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["get", "list", "watch"]
-# needed for remote.kubernetes.*
-- apiGroups: [""]
-  resources: ["configmaps", "secrets"]
-  verbs: ["get", "list", "watch"]
-# needed for otelcol.processor.k8sattributes
-- apiGroups: ["apps"]
-  resources: ["replicasets"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["extensions"]
-  resources: ["replicasets"]
-  verbs: ["get", "list", "watch"]
-{{- end }}
-
-{{- define "alloy.rbac.rules.nonResourced" -}}
-- nonResourceURLs: ["/metrics"]
-  verbs: ["get"]
-{{- end }}
-
 {{- if .Values.rbac.create }}
   {{- if .Values.rbac.namespaces }}
     {{- range $namespace := .Values.rbac.namespaces }}
@@ -53,7 +11,7 @@ metadata:
     {{- include "alloy.labels" $ | nindent 4 }}
     app.kubernetes.io/component: rbac
 rules:
-{{ include "alloy.rbac.rules.resourced" $ | indent 2 }}
+  {{- $.Values.rbac.rules | toYaml | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -82,8 +40,9 @@ metadata:
     {{- include "alloy.labels" . | nindent 4 }}
     app.kubernetes.io/component: rbac
 rules:
-{{ include "alloy.rbac.rules.resourced" . | indent 2 }}
-{{ include "alloy.rbac.rules.nonResourced" . | indent 2 }}
+  {{- .Values.rbac.rules | toYaml | nindent 2 }}
+  - nonResourceURLs: ["/metrics"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

operations/helm/charts/alloy/values.yaml

@@ -149,6 +149,41 @@ rbac:
   # ClusterRoleBindings.
   namespaces: []
 
+  # -- The rules to create for the ClusterRole or Role objects.
+  rules:
+    # -- Rules required for the `discovery.kubernetes` component.
+    - apiGroups: ["", "discovery.k8s.io", "networking.k8s.io"]
+      resources: ["endpoints", "endpointslices", "ingresses", "nodes", "nodes/proxy", "nodes/metrics", "pods", "services"]
+      verbs: ["get", "list", "watch"]
+    # -- Rules required for the `loki.source.kubernetes` component.
+    - apiGroups: [""]
+      resources: ["pods", "pods/log", "namespaces"]
+      verbs: ["get", "list", "watch"]
+    # -- Rules required for the `loki.source.podlogs` component.
+    - apiGroups: ["monitoring.grafana.com"]
+      resources: ["podlogs"]
+      verbs: ["get", "list", "watch"]
+    # -- Rules required for the `mimir.rules.kubernetes` component.
+    - apiGroups: ["monitoring.coreos.com"]
+      resources: ["prometheusrules"]
+      verbs: ["get", "list", "watch"]
+    # Rules for the `prometheus.operator.*` components.
+    - apiGroups: ["monitoring.coreos.com"]
+      resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
+      verbs: ["get", "list", "watch"]
+    # -- Rules required for the `loki.source.kubernetes_events` component.
+    - apiGroups: [""]
+      resources: ["events"]
+      verbs: ["get", "list", "watch"]
+    # needed for the `remote.kubernetes.*` components.
+    - apiGroups: [""]
+      resources: ["configmaps", "secrets"]
+      verbs: ["get", "list", "watch"]
+    # needed for the `otelcol.processor.k8sattributes` component.
+    - apiGroups: ["apps", "extensions"]
+      resources: ["replicasets"]
+      verbs: ["get", "list", "watch"]
+
 serviceAccount:
   # -- Whether to create a service account for the Grafana Alloy deployment.
   create: true

operations/helm/tests/additional-serviceaccount-label/alloy/templates/rbac.yaml

@@ -12,40 +12,86 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: rbac
 rules:
-  # Rules which allow discovery.kubernetes to function.
-  - apiGroups: ["", "discovery.k8s.io", "networking.k8s.io"]
-    resources: ["endpoints", "endpointslices", "ingresses", "nodes", "nodes/proxy", "nodes/metrics", "pods", "services"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
-  - apiGroups: [""]
-    resources: ["pods", "pods/log", "namespaces"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["monitoring.grafana.com"]
-    resources: ["podlogs"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow mimir.rules.kubernetes to work.
-  - apiGroups: ["monitoring.coreos.com"]
-    resources: ["prometheusrules"]
-    verbs: ["get", "list", "watch"]
-  # Rules for prometheus.kubernetes.*
-  - apiGroups: ["monitoring.coreos.com"]
-    resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow eventhandler to work.
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "list", "watch"]
-  # needed for remote.kubernetes.*
-  - apiGroups: [""]
-    resources: ["configmaps", "secrets"]
-    verbs: ["get", "list", "watch"]
-  # needed for otelcol.processor.k8sattributes
-  - apiGroups: ["apps"]
-    resources: ["replicasets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions"]
-    resources: ["replicasets"]
-    verbs: ["get", "list", "watch"]
+  - apiGroups:
+    - ""
+    - discovery.k8s.io
+    - networking.k8s.io
+    resources:
+    - endpoints
+    - endpointslices
+    - ingresses
+    - nodes
+    - nodes/proxy
+    - nodes/metrics
+    - pods
+    - services
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - pods/log
+    - namespaces
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.grafana.com
+    resources:
+    - podlogs
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - prometheusrules
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - podmonitors
+    - servicemonitors
+    - probes
+    - scrapeconfigs
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    - secrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apps
+    - extensions
+    resources:
+    - replicasets
+    verbs:
+    - get
+    - list
+    - watch
   - nonResourceURLs: ["/metrics"]
     verbs: ["get"]
 ---

operations/helm/tests/clustering/alloy/templates/rbac.yaml

@@ -12,40 +12,86 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: rbac
 rules:
-  # Rules which allow discovery.kubernetes to function.
-  - apiGroups: ["", "discovery.k8s.io", "networking.k8s.io"]
-    resources: ["endpoints", "endpointslices", "ingresses", "nodes", "nodes/proxy", "nodes/metrics", "pods", "services"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow loki.source.kubernetes and loki.source.podlogs to work.
-  - apiGroups: [""]
-    resources: ["pods", "pods/log", "namespaces"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["monitoring.grafana.com"]
-    resources: ["podlogs"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow mimir.rules.kubernetes to work.
-  - apiGroups: ["monitoring.coreos.com"]
-    resources: ["prometheusrules"]
-    verbs: ["get", "list", "watch"]
-  # Rules for prometheus.kubernetes.*
-  - apiGroups: ["monitoring.coreos.com"]
-    resources: ["podmonitors", "servicemonitors", "probes", "scrapeconfigs"]
-    verbs: ["get", "list", "watch"]
-  # Rules which allow eventhandler to work.
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "list", "watch"]
-  # needed for remote.kubernetes.*
-  - apiGroups: [""]
-    resources: ["configmaps", "secrets"]
-    verbs: ["get", "list", "watch"]
-  # needed for otelcol.processor.k8sattributes
-  - apiGroups: ["apps"]
-    resources: ["replicasets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions"]
-    resources: ["replicasets"]
-    verbs: ["get", "list", "watch"]
+  - apiGroups:
+    - ""
+    - discovery.k8s.io
+    - networking.k8s.io
+    resources:
+    - endpoints
+    - endpointslices
+    - ingresses
+    - nodes
+    - nodes/proxy
+    - nodes/metrics
+    - pods
+    - services
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - pods/log
+    - namespaces
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.grafana.com
+    resources:
+    - podlogs
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - prometheusrules
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - podmonitors
+    - servicemonitors
+    - probes
+    - scrapeconfigs
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    - secrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apps
+    - extensions
+    resources:
+    - replicasets
+    verbs:
+    - get
+    - list
+    - watch
   - nonResourceURLs: ["/metrics"]
     verbs: ["get"]
 ---