Skip to content

Fix telemetry RBAC template #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2025
Merged

Fix telemetry RBAC template #252

merged 1 commit into from
Jul 14, 2025

Conversation

m1kola
Copy link
Contributor

@m1kola m1kola commented Jul 11, 2025
edited
Loading

Summary

Currently ClusterRoleBinding is still being rendered when telemetry.enabled is true, but telemetry.installClusterRole is false.

Proof of Work

Comparing results fo the following template renderings.

  1. Telemetry enabled, telemetry RBAC enabled.

    helm template --show-only \
  templates/operator-roles.yaml \
  ./helm_chart \
  --namespace mongodb \
  --set operator.telemetry.enabled=true \
  --set operator.telemetry.installClusterRole=true \
  | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("telemetry")))'

  2. Telemetry enabled, telemetry RBAC disabled

    helm template --show-only \
  templates/operator-roles.yaml \
  ./helm_chart \
  --namespace mongodb \
  --set operator.telemetry.enabled=true \
  --set operator.telemetry.installClusterRole=false \
  | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("telemetry")))'

Before

  1. Telemetry enabled, telemetry RBAC enabled.

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# Additional ClusterRole for clusterVersionDetection
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-cluster-telemetry
rules:
  # Non-resource URL permissions
  - nonResourceURLs:
      - "/version"
    verbs:
      - get
  # Cluster-scoped resource permissions
  - apiGroups:
      - ''
    resources:
      - namespaces
    resourceNames:
      - kube-system
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - list
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. Telemetry enabled, telemetry RBAC disabled

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

After

  1. Telemetry enabled, telemetry RBAC enabled.

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# Additional ClusterRole for clusterVersionDetection
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-cluster-telemetry
rules:
  # Non-resource URL permissions
  - nonResourceURLs:
      - "/version"
    verbs:
      - get
  # Cluster-scoped resource permissions
  - apiGroups:
      - ''
    resources:
      - namespaces
    resourceNames:
      - kube-system
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - list
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. Telemetry enabled, telemetry RBAC disabled

    # (Nothing)

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you checked for release_note changes?

Reminder (Please remove this when merging)

  • Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible
  • Our Short Guide for PRs: Link
  • Remember the following Communication Standards - use comment prefixes for clarity:
    • blocking: Must be addressed before approval.
    • follow-up: Can be addressed in a later PR or ticket.
    • q: Clarifying question.
    • nit: Non-blocking suggestions.
    • note: Side-note, non-actionable. Example: Praise
    • --> no prefix is considered a question

@m1kola m1kola marked this pull request as ready for review July 11, 2025 14:38
@m1kola m1kola requested a review from a team as a code owner July 11, 2025 14:38
mircea-cosbuc
mircea-cosbuc approved these changes Jul 11, 2025
View reviewed changes
Copy link
Member

@mircea-cosbuc mircea-cosbuc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! LGTM

@m1kola
Copy link
Contributor Author

m1kola commented Jul 11, 2025

I think I might've misdiagnosed it. Telemetry rendering for some reason (in master) depends on operator.webhook.registerConfiguration...

Putting this back to draft for further investigation.

@m1kola m1kola marked this pull request as draft July 11, 2025 15:16
@m1kola
Copy link
Contributor Author

m1kola commented Jul 11, 2025

There is an issue with rendering when operator.webhook.registerConfiguration is set to false, but it is not relevant. I'll submit a separate PR for that.

Added proof of work to the PR description.

@m1kola m1kola marked this pull request as ready for review July 11, 2025 16:08
@m1kola m1kola force-pushed the fix_telemetry_rbac_template branch from 3ab47c4 to ae2ace7 Compare July 14, 2025 08:15
@m1kola
Copy link
Contributor Author

m1kola commented Jul 14, 2025

Rebased on top of master to include changes from #254.

@m1kola m1kola force-pushed the fix_telemetry_rbac_template branch from ae2ace7 to 6bd2f84 Compare July 14, 2025 10:21
@m1kola
Copy link
Contributor Author

m1kola commented Jul 14, 2025

Another rebase on top of master to include #255.

This keeps perma failing e2e_sharded_cluster_x509_to_scram_transition and I'm not sure how this is relevant to telemetry RBAC at the moment. Might require further investigation.

@m1kola
Copy link
Contributor Author

m1kola commented Jul 14, 2025

I looked into e2e_sharded_cluster_x509_to_scram_transition and it looks like failure is not related: STS does not report ready on time in test_can_enable_scram_sha_256. I see the same failures in other PRs. It seems like e2e_static_mdb_kind_ubi_cloudqa is more flaky than non-static variant.

@m1kola m1kola merged commit e370e1f into mongodb:master Jul 14, 2025
35 checks passed
@m1kola m1kola deleted the fix_telemetry_rbac_template branch July 14, 2025 12:37
@m1kola m1kola mentioned this pull request Jul 14, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaciejKaras MaciejKaras MaciejKaras approved these changes

@mircea-cosbuc mircea-cosbuc mircea-cosbuc approved these changes

@nammn nammn nammn approved these changes

@Julien-Ben Julien-Ben Awaiting requested review from Julien-Ben Julien-Ben is a code owner automatically assigned from mongodb/kubernetes-hosted

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@m1kola @MaciejKaras @mircea-cosbuc @nammn