elastic · jmlrt · Dec 18, 2020 · Dec 1, 2020 · Dec 1, 2020 · Dec 1, 2020
diff --git a/filebeat/README.md b/filebeat/README.md
@@ -89,6 +89,7 @@ as a reference. They are also used in the automated testing of this chart.
 
 | Parameter                      | Description                                                                                                                                                                  | Default                            |
 |--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
+| `clusterRoleRules`             | Configurable [cluster role rules][] that Filebeat uses to access Kubernetes resources                                                                                        | see [values.yaml][]                |
 | `daemonset.annotations`        | Configurable [annotations][] for filebeat daemonset                                                                                                                          | `{}`                               |
 | `daemonset.labels`             | Configurable [labels][] applied to all filebeat DaemonSet pods                                                                                                               | `{}`                               |
 | `daemonset.affinity`           | Configurable [affinity][] for filebeat daemonset                                                                                                                             | `{}`                               |
@@ -224,6 +225,7 @@ about our development and testing process.
 [CONTRIBUTING.md]: https://github.com/elastic/helm-charts/blob/master/CONTRIBUTING.md
 [affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 [annotations]: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+[cluster role rules]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
 [default Elasticsearch Helm chart]: https://github.com/elastic/helm-charts/tree/master/elasticsearch/README.md#default
 [dnsConfig]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
 [environment variables]: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config

diff --git a/filebeat/templates/clusterrole.yaml b/filebeat/templates/clusterrole.yaml
@@ -8,15 +8,5 @@ metadata:
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - nodes
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
+rules: {{ toYaml .Values.clusterRoleRules | nindent 2 -}}
 {{- end -}}
diff --git a/filebeat/values.yaml b/filebeat/values.yaml
@@ -20,7 +20,7 @@ daemonset:
   extraVolumeMounts: []
     # - name: extras
     #   mountPath: /usr/share/extras
-    #   readOnly: true 
+    #   readOnly: true
   hostNetworking: false
   # Allows you to add any config files in /usr/share/filebeat
   # such as filebeat.yml for daemonset
@@ -177,6 +177,18 @@ readinessProbe:
 # Whether this chart should self-manage its service account, role, and associated role binding.
 managedServiceAccount: true
 
+clusterRoleRules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - nodes
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+
 podAnnotations: {}
   # iam.amazonaws.com/role: es-cluster