Add PriorityClass permissions

oded7hoffman · oded7hoffman · commit 27ec99941e32 · 2025-12-22T09:23:10.000+02:00
diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.24-rc.2
+version: 1.0.24-rc.3
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team
diff --git a/charts/konnector/templates/_helpers.tpl b/charts/konnector/templates/_helpers.tpl
@@ -61,7 +61,9 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      priorityClassName: {{ .Values.priorityClass.high.name }}
+      {{- if .Values.priorityClassValues.enabled }}
+      priorityClassName: {{ .Values.priorityClassValues.classes.high.name }}
+      {{- end }}
       volumes:
         - name: {{ .Values.system.secrets.backendAuth.name }}
           secret:
diff --git a/charts/konnector/templates/batch.yaml b/charts/konnector/templates/batch.yaml
@@ -37,7 +37,9 @@ spec:
     spec:
       serviceAccountName: {{ .Values.system.serviceAccount.name }}
       restartPolicy: "Never"
-      priorityClassName: {{ .Values.priorityClass.high.name }}
+      {{- if .Values.priorityClassValues.enabled }}
+      priorityClassName: {{ .Values.priorityClassValues.classes.high.name }}
+      {{- end }}
       containers:
         - name: helm-uninstall
           image: alpine/helm:3.17.2
diff --git a/charts/konnector/templates/priorityclass.yaml b/charts/konnector/templates/priorityclass.yaml
@@ -1,4 +1,5 @@
-{{- range $priority, $class := .Values.priorityClass }}
+{{- if .Values.priorityClassValues.enabled }}
+{{- range $priority, $class := .Values.priorityClassValues.classes }}
 apiVersion: scheduling.k8s.io/v1
 kind: PriorityClass
 metadata:
diff --git a/charts/konnector/values.yaml b/charts/konnector/values.yaml
@@ -34,13 +34,16 @@ proxyValues:
   httpProxy: ""  # Optional proxy URL for external network access
   noProxy: "kubernetes,kubernetes.default.svc,.svc,.cluster.local"  # List of addresses/domains that should bypass the proxy
 
-priorityClass:
-  critical:
-    name: "cortex-critical"
-    value: 1000000
-  high:
-    name: "cortex-high" # The default value for workloads without priority class defined
-    value: 900000
+priorityClassValues:
+  enabled: false
+  classes:
+    critical:
+      name: "cortex-critical"
+      value: 1000000
+    high:
+      name: "cortex-high" # The default value for workloads without priority class defined
+      value: 900000
+
 # ==========================
 # ### System Section ###
 # ==========================
@@ -112,6 +115,9 @@ system:
         - apiGroups: ["rbac.authorization.k8s.io"]
           resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"]
           verbs: ["create", "patch", "delete"]
+        - apiGroups: ["scheduling.k8s.io"]
+          resources: ["priorityclasses"]
+          verbs: ["create", "patch", "delete"]
     konnector-cluster-manager:
       rules:
         - apiGroups: [""]
