add notes.txt

Signed-off-by: Aryan-sharma11 <[email protected]>

deployments/get/objects.go

@@ -611,12 +611,6 @@ func GetKubeArmorControllerClusterRole() *rbacv1.ClusterRole {
 				Resources: []string{"pods"},
 				Verbs:     []string{"create", "delete", "get", "patch", "list", "watch", "update"},
 			},
-			{
-				APIGroups: []string{"apps"},
-				Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"},
-				Verbs:     []string{"get", "update"},
-			},
-
 			{
 				APIGroups: []string{""},
 				Resources: []string{"nodes"},

deployments/helm/KubeArmorOperator/templates/NOTES.txt

@@ -0,0 +1,12 @@
+{{- if not .Values.kubearmorOperator.annotateExisting }}
+⚠️  WARNING: Existing pods will not be annotated. Policy enforcement for already existing pods on Apparmor nodes might not work.
+   To annotate existing pods use --set annotateExisting=true in helm command.
+   To check enforcer present on nodes use:-
+   kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name} {.metadata.labels.kubearmor\.io/enforcer}{"\n"}{end}'  
+{{- end }}
+
+ℹ️  Your release is named {{ .Release.Name }}.
+💙 Thank you for installing KubeArmor.
+
+
+

deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml

@@ -155,6 +155,8 @@ rules:
   - list
   - watch
   - update
+
+{{- if .Values.kubearmorOperator.annotateExisting }}
 - apiGroups:
   - "apps"
   resources:
@@ -165,6 +167,7 @@ rules:
   verbs:
   - get
   - update
+{{- end }}
 - apiGroups:
   - ""
   resources:

pkg/KubeArmorController/internal/controller/podrefresh_controller.go

@@ -38,7 +38,7 @@ func (r *PodRefresherReconciler) Reconcile(ctx context.Context, req ctrl.Request
 
 	log := log.FromContext(ctx)
 	if !r.AnnotateExisting {
-		log.Info(fmt.Sprintf("Not annotating existing resources as annotate existing is set to false"))
+		log.Info(fmt.Sprintf("Not annotating existing resources as annotate existing is set to false \n"))
 		return ctrl.Result{}, nil
 	}
 	var podList corev1.PodList

pkg/KubeArmorOperator/internal/controller/resources.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
@@ -519,7 +520,7 @@ func (clusterWatcher *ClusterWatcher) deployControllerDeployment(deployment *app
 		}
 	} else {
 		if (common.IfNodeWithSecurtiyFs && controller.Spec.Template.Spec.NodeSelector == nil) ||
-			(!common.IfNodeWithSecurtiyFs && controller.Spec.Template.Spec.NodeSelector != nil) {
+			(!common.IfNodeWithSecurtiyFs && controller.Spec.Template.Spec.NodeSelector != nil) || !reflect.DeepEqual(controller.Spec.Template.Spec.Containers[0].Args, deployment.Spec.Template.Spec.Containers[0].Args) {
 			clusterWatcher.Log.Infof("Updating deployment %s", controller.Name)
 			controller.Spec.Template.Spec.NodeSelector = deployment.Spec.Template.Spec.NodeSelector
 			controller.Spec.Template.Spec.Containers = deployment.Spec.Template.Spec.Containers
@@ -700,8 +701,18 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() {
 	clusterRoles := []*rbacv1.ClusterRole{
 		addOwnership(genSnitchRole()).(*rbacv1.ClusterRole),
 		addOwnership(deployments.GetRelayClusterRole()).(*rbacv1.ClusterRole),
-		addOwnership(deployments.GetKubeArmorControllerClusterRole()).(*rbacv1.ClusterRole),
 	}
+	controllerClusterRole := addOwnership(deployments.GetKubeArmorControllerClusterRole()).(*rbacv1.ClusterRole)
+	if annotateExisting {
+		controllerClusterRole.Rules = append(controllerClusterRole.Rules, []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"apps"},
+				Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"},
+				Verbs:     []string{"get", "update"},
+			},
+		}...)
+	}
+	clusterRoles = append(clusterRoles, controllerClusterRole)
 
 	kaClusterRole := addOwnership(deployments.GetClusterRole()).(*rbacv1.ClusterRole)
 	if annotateResource {