fix(response actions): Add necessary permissions for jobs and replicasets (#2334)

therealbobo · web-flow · commit a5e8559b9c33 · 2025-07-31T23:07:44.000+02:00
Signed-off-by: Roberto Scolaro &lt;roberto.scolaro21@gmail.com&gt;
diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.15.0
+version: 1.15.1
 appVersion: "1.0.0"
diff --git a/charts/shield/templates/cluster/clusterrole.yaml b/charts/shield/templates/cluster/clusterrole.yaml
@@ -253,6 +253,13 @@ rules:
 {{- end }}
 
 {{- if eq "true" (include "cluster.response_actions.isolate_network.enabled" .) }}
+- apiGroups:
+    - batch
+  resources:
+    - jobs
+  verbs:
+    - get # needed to identify the pods to isolate
+
 - apiGroups:
   - apps
   resources:
@@ -281,12 +288,20 @@ rules:
 {{- end }}
 
 {{- if eq "true" (include "cluster.response_actions.get_logs.enabled" .) }}
+- apiGroups:
+    - batch
+  resources:
+    - jobs
+  verbs:
+    - get # needed to identify the pods to get logs from
+
 - apiGroups:
     - apps
   resources:
     - daemonsets
     - deployments
     - statefulsets
+    - replicasets
   verbs:
     - get # needed to identify the pods to get logs from
 
@@ -306,12 +321,20 @@ rules:
 {{- end }}
 
 {{- if eq "true" (include "cluster.response_actions.volume_snapshot.enabled" .) }}
+- apiGroups:
+    - batch
+  resources:
+    - jobs
+  verbs:
+    - get # needed to identify the pods with PVCs
+
 - apiGroups:
     - apps
   resources:
     - daemonsets
     - deployments
     - statefulsets
+    - replicasets
   verbs:
     - get # needed to identify the pods with PVCs
 
diff --git a/charts/shield/tests/cluster/clusterrole_test.yaml b/charts/shield/tests/cluster/clusterrole_test.yaml
@@ -504,6 +504,15 @@ tests:
           of: ClusterRole
       - isAPIVersion:
           of: rbac.authorization.k8s.io/v1
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - batch
+            resources:
+              - jobs
+            verbs:
+              - get
       - contains:
           path: rules
           content:
@@ -536,6 +545,7 @@ tests:
               - daemonsets
               - deployments
               - statefulsets
+              - replicasets
             verbs:
               - get
       - contains:
@@ -566,6 +576,7 @@ tests:
               - daemonsets
               - deployments
               - statefulsets
+              - replicasets
             verbs:
               - get
       - contains:
@@ -595,6 +606,7 @@ tests:
               - daemonsets
               - deployments
               - statefulsets
+              - replicasets
             verbs:
               - get
       - contains:
