fix(shield): wrap response_actions rules in cluster.rbac.create guard#2604
Closed
EdwardArchive wants to merge 1 commit intosysdiglabs:mainfrom
Closed
fix(shield): wrap response_actions rules in cluster.rbac.create guard#2604EdwardArchive wants to merge 1 commit intosysdiglabs:mainfrom
EdwardArchive wants to merge 1 commit intosysdiglabs:mainfrom
Conversation
The outer `{{- if .Values.cluster.rbac.create }}` in
templates/cluster/clusterrole.yaml closed before the seven
response_actions.* rule blocks, so disabling RBAC creation while any
response action was enabled left orphaned `- apiGroups:` sequences.
Helm then aborted with `cannot unmarshal !!seq into
releaseutil.SimpleHead`.
Move the closing `{{- end }}` to the end of the file (matching the
pattern in templates/host/clusterrole.yaml) so the entire ClusterRole,
including response_actions rules, is suppressed when
cluster.rbac.create is false.
Adds a regression unittest and bumps the chart to 1.36.1.
Refs sysdiglabs#2603
Contributor
|
Hi @EdwardArchive. Thanks for your PR. After inspecting your changes someone with write access to this repo needs |
francesco-furlan
added a commit
that referenced
this pull request
Apr 29, 2026
The seven `response_actions.*` rule blocks in
`templates/cluster/clusterrole.yaml` lived outside the outer
`{{ if .Values.cluster.rbac.create }} ... {{ end }}` wrapper. With
`cluster.rbac.create: false`, the document head (apiVersion / kind /
metadata / rules:) was correctly suppressed but the per-action rule
snippets still rendered, producing a top-level YAML array that Helm
could not parse:
Error: YAML parse error on shield/templates/cluster/clusterrole.yaml:
error unmarshaling JSON: while decoding JSON:
json: cannot unmarshal array into Go value of type util.SimpleHead
Move the closing `{{ end }}` past the response_actions blocks so the
entire ClusterRole template (including those rules) is suppressed when
`cluster.rbac.create` is false, matching the pattern already used in
`templates/host/clusterrole.yaml`. Bumps the chart to 1.36.1 and adds
regression unittests covering the failure mode.
Reported and originally fixed by @EdwardArchive in #2604; this commit
folds the same change into the broader response_actions RBAC fix on
this branch.
Closes #2603
Co-Authored-By: Edward Kim <[email protected]>
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
francesco-furlan
added a commit
that referenced
this pull request
Apr 29, 2026
The seven `response_actions.*` rule blocks in
`templates/cluster/clusterrole.yaml` lived outside the outer
`{{ if .Values.cluster.rbac.create }} ... {{ end }}` wrapper. With
`cluster.rbac.create: false`, the document head (apiVersion / kind /
metadata / rules:) was correctly suppressed but the per-action rule
snippets still rendered, producing a top-level YAML array that Helm
could not parse:
Error: YAML parse error on shield/templates/cluster/clusterrole.yaml:
error unmarshaling JSON: while decoding JSON:
json: cannot unmarshal array into Go value of type util.SimpleHead
Move the closing `{{ end }}` past the response_actions blocks so the
entire ClusterRole template (including those rules) is suppressed when
`cluster.rbac.create` is false, matching the pattern already used in
`templates/host/clusterrole.yaml`. Bumps the chart to 1.36.1 and adds
regression unittests covering the failure mode.
Reported and originally fixed by @EdwardArchive in #2604; this commit
folds the same change into the broader response_actions RBAC fix on
this branch.
Closes #2603
Co-Authored-By: Edward Kim <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The outer
{{- if .Values.cluster.rbac.create }}in templates/cluster/clusterrole.yaml closed before the seven response_actions.* rule blocks, so disabling RBAC creation while any response action was enabled left orphaned- apiGroups:sequences. Helm then aborted withcannot unmarshal !!seq into releaseutil.SimpleHead.Move the closing
{{- end }}to the end of the file (matching the pattern in templates/host/clusterrole.yaml) so the entire ClusterRole, including response_actions rules, is suppressed when cluster.rbac.create is false.Adds a regression unittest and bumps the chart to 1.36.1.
Refs #2603
What this PR does / why we need it:
Checklist
feat(agent,node-analyzer,sysdig-deploy):)