Merge pull request #8 from PaloAltoNetworks/add_privileged_bind

Agent on OpenShift clusters needs privileged bind for the compliance …

Author: rlevartovsky

charts/konnector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.11
+version: 1.0.12
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

charts/konnector/templates/rbac.yaml

@@ -82,7 +82,7 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $bindingName }}
+  name: {{ $bindingName }}-binding
   labels:
     {{- include "common.labels" $ | nindent 4 }}
 subjects:

charts/konnector/values.yaml

@@ -86,7 +86,7 @@ system:
   # Cluster Role Resources
   # ==========================
   clusterRoles:
-    connector-manager-creator:
+    konnector-manager-creator:
       rules:
         - apiGroups: [""]
           resources: ["configmaps", "services", "serviceaccounts"]
@@ -100,7 +100,7 @@ system:
         - apiGroups: ["rbac.authorization.k8s.io"]
           resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"]
           verbs: ["create", "patch", "delete"]
-    cluster-manager:
+    konnector-cluster-manager:
       rules:
         - apiGroups: [""]
           resources: ["namespaces", "secrets", "configmaps"]
@@ -111,7 +111,7 @@ system:
         - apiGroups: ["admissionregistration.k8s.io"]
           resources: ["validatingwebhookconfigurations"]
           verbs: ["update", "list", "watch", "get", "create", "patch", "delete"]
-    read-inventory:
+    konnector-read-inventory:
       rules:
         - apiGroups: [""]
           resources: ["namespaces", "pods", "serviceaccounts", "endpoints", "services", "configmaps", "secrets", "nodes", "nodes/proxy"]
@@ -128,22 +128,22 @@ system:
         - apiGroups: ["networking.k8s.io"]
           resources: ["networkpolicies", "ingresses"]
           verbs: ["get", "list", "watch"]
-    crd-manager:
+    konnector-crd-manager:
       rules:
         - apiGroups: ["apiextensions.k8s.io"]
           resources: ["customresourcedefinitions"]
           verbs: ["create", "get", "patch", "delete"]
-    node-vm-discovery:
+    konnector-node-vm-discovery:
       rules:
         - apiGroups: [""]
           resources: ["nodes"]
           verbs: ["get", "list", "patch"]
-    aro-openshift-permissions:
+    konnector-aro-openshift-permissions:
       rules:
         - apiGroups: ["aro.openshift.io"]
           resources: ["clusters"]
           verbs: ["get", "list", "watch"]
-    general-openshift-permissions:
+    konnector-general-openshift-permissions:
       rules:
         - apiGroups: ["config.openshift.io"]
           resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
@@ -160,7 +160,7 @@ system:
         - apiGroups: ["security.openshift.io"]
           resources: ["securitycontextconstraints"]
           verbs: ["get", "list", "watch"]
-    otel:
+    konnector-otel:
       rules:
         - apiGroups: [""]
           resources: ["nodes/stats"]
@@ -179,10 +179,14 @@ system:
           verbs: ["get", "list", "watch"]
 
   extraClusterRoleBindings:
-    openshift-anyuid-crole-binding:
+    konnector-openshift-anyuid:
       roleRef:
         apiGroup: security.openshift.io/v1
         name: system:openshift:scc:anyuid
+    konnector-openshift-privileged:
+      roleRef:
+        apiGroup: security.openshift.io/v1
+        name: system:openshift:scc:privileged
 
   # ==========================
   # Secrets Resources