Skip to content

fix(agent): scope secrets RBAC and robust helm-values check#210

Merged
mchmarny merged 4 commits intomainfrom
fix/helm-values-check-followup
Feb 25, 2026
Merged

fix(agent): scope secrets RBAC and robust helm-values check#210
mchmarny merged 4 commits intomainfrom
fix/helm-values-check-followup

Conversation

@mchmarny
Copy link
Member

@mchmarny mchmarny commented Feb 25, 2026
edited
Loading

Summary

Fixes #211. Followup to #209.

Scoped secrets RBAC (fixes #211)

The agent's aicr-node-reader ClusterRole previously granted secrets: get, list cluster-wide. This scopes secrets access to only the namespaces where Helm components are deployed.

Three RBAC modes:

Mode When RBAC
No Helm (default snapshot) No --helm-* flags No secrets in ClusterRole, no per-NS Roles
Scoped (default validate) Auto-derived from recipe Per-NS Roles with secrets: get, list
All NS (--helm-all-namespaces) Explicit opt-in ClusterRole keeps secrets: get, list

New CLI flags:

Flag Commands Purpose
--helm-namespaces ns1,ns2 snapshot, validate Scoped secrets RBAC for listed namespaces
--helm-all-namespaces snapshot, validate Cluster-wide secrets access (old behavior)
--skip-helm-check validate Skip helm-values check entirely, no secrets RBAC

For validate, namespaces are auto-derived from recipe ComponentRefs (Helm type with non-empty namespace) when no --helm-* flags are set.

Config flows to the in-cluster collector via AICR_HELM_NAMESPACES env var on the Job container ("" = skip, "*" = all, "ns1,ns2" = scoped).

Robust value comparison (from original PR)

  • valuesEqual handles type normalization (numeric: "1" == "1.0", boolean: "true" == "True")
  • Added missing TestCheckHelmValues integration test file

Files changed

File Change
pkg/k8s/agent/types.go HelmNamespaces, HelmAllNamespaces fields on Config
pkg/k8s/agent/rbac.go Conditional ClusterRole + per-NS Role/RoleBinding create/delete
pkg/k8s/agent/deployer.go Wire helm RBAC into Deploy/Cleanup
pkg/k8s/agent/permissions.go Per-NS permission checks
pkg/k8s/agent/job.go AICR_HELM_NAMESPACES env var on Job container
pkg/k8s/agent/deployer_test.go Updated + 5 new tests
pkg/collector/k8s/k8s.go HelmNamespaces field on Collector
pkg/collector/k8s/helm.go Namespace-scoped collection (collectHelmReleasesScoped)
pkg/collector/factory.go WithHelmNamespaces option
pkg/collector/factory_test.go TestWithHelmNamespaces
pkg/snapshotter/agent.go Propagate helm config to agent.Config
pkg/snapshotter/snapshot.go Read AICR_HELM_NAMESPACES env var in agent mode
pkg/cli/snapshot.go --helm-namespaces, --helm-all-namespaces flags
pkg/cli/validate.go --skip-helm-check, helm flags, auto-derive from recipe
pkg/cli/validate_test.go TestHelmNamespacesFromRecipe (6 cases)
tests/chainsaw/cli/helm-values-discovery/ E2E: matching + mismatched snapshots, skip flag, flag presence

Test plan

  • go test -race ./pkg/k8s/agent/... — all tests pass (5 new, 1 updated)
  • go test -race ./pkg/collector/... — all tests pass
  • go test -race ./pkg/cli/... — all tests pass
  • make lint — 0 issues
  • make qualify — full check passes (12 e2e tests, up from 11)
  • New helm-values-discovery chainsaw test validates matching/mismatched/skip flows

@mchmarny
fix(validator): robust value comparison and add integration test
37ebab4 
valuesEqual now normalizes numeric and boolean types before comparing,
preventing false drift reports from YAML int vs JSON float64 (e.g.,
1 vs 1.0) and boolean casing (True vs true).

Add helm_values_check_test.go integration test wrapper so the
registered TestName maps to an actual test function that the
validator Job runner can invoke.
@mchmarny mchmarny requested a review from a team as a code owner February 25, 2026 00:01
@mchmarny mchmarny marked this pull request as draft February 25, 2026 00:02
@mchmarny mchmarny self-assigned this Feb 25, 2026
@mchmarny
feat(agent): scope secrets RBAC to specific namespaces
dfa9da9 
Remove cluster-wide secrets access from the default ClusterRole.
Add --helm-namespaces and --helm-all-namespaces flags to snapshot
and validate commands. Validate auto-derives namespaces from recipe
ComponentRefs. Add --skip-helm-check to suppress the helm-values
deployment check entirely.

RBAC modes: no-helm (default snapshot), scoped per-NS Roles
(default validate), or cluster-wide (--helm-all-namespaces).
Config flows to collector via AICR_HELM_NAMESPACES env var.

Fixes #211
@mchmarny mchmarny marked this pull request as ready for review February 25, 2026 01:00
@mchmarny mchmarny changed the title fix(validator): robust helm-values comparison and integration test fix(agent): scope secrets RBAC and robust helm-values check Feb 25, 2026
@xdu31
Copy link
Contributor

xdu31 commented Feb 25, 2026
edited
Loading

As part of documentation, do we want to include this check validator check into the example recipes?

@mchmarny
Copy link
Member Author

mchmarny commented Feb 25, 2026
edited
Loading

As part of documentation, do we want to include this check validator check into the example recipes?

This is more global vs recipe based so just in docs which I already added. I don't think we need anything on this in the individual recipes

xdu31
xdu31 reviewed Feb 25, 2026
View reviewed changes
@mchmarny mchmarny enabled auto-merge (squash) February 25, 2026 12:11
@mchmarny mchmarny merged commit 6a03a84 into main Feb 25, 2026
17 checks passed
@mchmarny mchmarny deleted the fix/helm-values-check-followup branch February 25, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lalitadithya lalitadithya lalitadithya approved these changes

@xdu31 xdu31 xdu31 approved these changes

@yuanchen8911 yuanchen8911 Awaiting requested review from yuanchen8911

Assignees

@mchmarny mchmarny

Labels

area/cli area/collector area/tests area/validator size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scope agent secrets RBAC to specific namespaces

4 participants

@mchmarny @xdu31 @lalitadithya @dims