mirror of
https://github.com/kubeshark/kubeshark.git
synced 2026-07-13 02:20:15 +00:00
Companion to kubeshark/hub#permissions-refactoring. Aligns the CLI
config struct, chart values, and rendered ConfigMap with the
post-refactor hub.
config/configStructs/tapConfig.go:
- Drop AuthConfig.Roles (admin-authored map[string]Role) and the
Role + ScriptingPermissions structs they referenced.
- Drop AuthConfig.DefaultFilter (no namespace scoping in v1).
- Add AuthConfig.GroupMapping (map[string]string) — SSO group name
→ built-in role translation.
- Tighten DefaultRole godoc to reference the four built-in role
constants (kubeshark-admin / kubeshark-realtime /
kubeshark-snapshot / kubeshark-viewer) and the strict-deny
semantics on empty.
config/configStruct.go:
- Drop the legacy "admin" entry from the AuthConfig default —
operators now configure DefaultRole + GroupMapping instead.
- Default RolesClaim is now "groups" (Okta/OIDC convention; was
"role"), matching the hub's runtime default.
helm-chart/templates/12-config-map.yaml:
- Drop AUTH_ROLES emission (key no longer read by hub).
- Add AUTH_GROUP_MAPPING emission from tap.auth.groupMapping (JSON
map; hub validates each value against the built-in role names at
sync time).
helm-chart/values.yaml: regenerated from the Go config — drops the
tap.auth.roles block, adds tap.auth.groupMapping with the new
documentation header for DefaultRole.
Breaking change: deployments carrying tap.auth.roles in their values
will silently lose those role definitions. Migration is to remove the
roles: block and either (a) name their SSO groups to match the four
built-in role constants, or (b) populate tap.auth.groupMapping with
explicit translations.