Skip to content

bug: ClusterRole custom rules are lost when changes made to configuration #1614

New issue
New issue
Open
Open
bug: ClusterRole custom rules are lost when changes made to configuration#1614
@ZephireNZ

Description

@ZephireNZ
ZephireNZ
opened on May 13, 2025

Describe the issue

We are seeing an issue where, after making changes to the configuration (eg altering a ClusterFilter), the additional rules in FluentBit object we set with rbacRules are being removed from the generated ClusterRole.

To Reproduce

  1. Set up a logging pipeline with rbacRules (eg events permissions used by kubernetesEvents) including ClusterFilter
  2. Check the generated role, it should include those custom rules
  3. Change the ClusterFilter eg adding/removing a rule
  4. Check the generated role, it should be missing those custom rules
  5. Change the FluentBit object in some way (eg edit annotation)
  6. Check the generated role, it should again include those custom rules

Expected behavior

ClusterRole should not change when altering filters

Your Environment

- Fluent Operator version: 3.2.0
- Container Runtime: Docker 24.0.9
- Operating system: Ubuntu 22.04.5 LTS
- Kernel version: 5.15.0-131-generic

How did you install fluent operator?

Helm chart

Additional context

Example config (cut down for brevity):

apiVersion: fluentbit.fluent.io/v1alpha2
kind: FluentBit
spec:
  rbacRules:
    - apiGroups:
        - ''
      resources:
        - events
      verbs:
        - watch
        - list
---
apiVersion: fluentbit.fluent.io/v1alpha2
kind: ClusterInput
spec:
  alias: system-events
  kubernetesEvents:
    db: /fluent-bit/tail/system-events-pos.db
    kubeCAFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    kubeTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    kubeURL: https://kubernetes.default.svc:443
    tag: kube-events
---
apiVersion: fluentbit.fluent.io/v1alpha2
kind: ClusterFilter
spec:
  filters:
    - nest:
        addPrefix: involvedObject_
        nestedUnder: involvedObject
        operation: lift
  match: kube-events
---
apiVersion: fluentbit.fluent.io/v1alpha2
kind: ClusterOutput
spec:
  alias: tahi-logs-k8s
  es:
    bufferSize: 10M
    generateID: true
    host: ${elastic-log-endpoint}
    httpPassword:
      valueFrom:
        secretKeyRef:
          key: elastic-password
          name: fluent-elastic-credentials
    httpUser:
      valueFrom:
        secretKeyRef:
          key: elastic-username
          name: fluent-elastic-credentials
    index: tahi-logs-k8s
    port: 9200
  matchRegex: (?:kube)\.(.*)|kube-events

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions