chore: add script to generate rbac summary

[ldming]

Add script to generat all needed rbac permissions, the result as follows:

KubeBlocks Operator RBAC Permissions

KubeBlocks operator requires different permissions based on configuration parameters.

Generated: Mon Jul 28 18:16:04 CST 2025

Base Configuration

Configuration: webhooks.conversionEnabled=false and rbac.enabled=false

Kubernetes Resource Permissions

Core API Group

• configmaps: create, delete, deletecollection, get, list, patch, update, watch
• configmaps/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• events: create, delete, deletecollection, get, list, patch, update, watch
• nodes: create, delete, deletecollection, get, list, patch, update, watch
• persistentvolumeclaims: create, delete, deletecollection, get, list, patch, update, watch
• persistentvolumeclaims/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• persistentvolumeclaims/status: create, delete, deletecollection, get, list, patch, update, watch
• persistentvolumes: create, delete, deletecollection, get, list, patch, update, watch
• pods: create, delete, deletecollection, get, list, patch, update, watch
• pods/exec: create, delete, deletecollection, get, list, patch, update, watch
• pods/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• pods/log: create, delete, deletecollection, get, list, patch, update, watch
• pods/resize: create, delete, deletecollection, get, list, patch, update, watch
• pods/status: create, delete, deletecollection, get, list, patch, update, watch
• secrets: create, delete, deletecollection, get, list, patch, update, watch
• secrets/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• serviceaccounts: create, delete, deletecollection, get, list, patch, update, watch
• serviceaccounts/status: create, delete, deletecollection, get, list, patch, update, watch
• services: create, delete, deletecollection, get, list, patch, update, watch
• services/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• services/status: create, delete, deletecollection, get, list, patch, update, watch

apps

• deployments: create, delete, deletecollection, get, list, patch, update, watch
• statefulsets: create, delete, deletecollection, get, list, patch, update, watch
• statefulsets/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• statefulsets/status: create, delete, deletecollection, get, list, patch, update, watch

authentication.k8s.io

• tokenreviews: create

authorization.k8s.io

• subjectaccessreviews: create

batch

• cronjobs: create, delete, deletecollection, get, list, patch, update, watch
• cronjobs/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• cronjobs/status: create, delete, deletecollection, get, list, patch, update, watch
• jobs: create, delete, deletecollection, get, list, patch, update, watch
• jobs/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• jobs/status: create, delete, deletecollection, get, list, patch, update, watch

coordination.k8s.io

• leases: create, delete, get, list, patch, update, watch

rbac.authorization.k8s.io

• rolebindings: create, delete, get, list, patch, update, watch
• rolebindings/status: create, delete, get, list, patch, update, watch
• roles: create, delete, get, list, patch, update, watch
• roles/status: create, delete, get, list, patch, update, watch

snapshot.storage.k8s.io

• volumesnapshotclasses: create, delete, get, list, patch, update, watch
• volumesnapshots: create, delete, get, list, patch, update, watch
• volumesnapshots/finalizers: create, delete, get, list, patch, update, watch

storage.k8s.io

• csidrivers: create, delete, get, list, watch
• storageclasses: create, delete, get, list, watch

Non-Resource URLs

• /metrics: get

KubeBlocks Custom Resources

apps.kubeblocks.io

• clusterdefinitions: create, delete, deletecollection, get, list, patch, update, watch
• clusterdefinitions/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• clusterdefinitions/status: create, delete, deletecollection, get, list, patch, update, watch
• clusters: create, delete, deletecollection, get, list, patch, update, watch
• clusters/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• clusters/status: create, delete, deletecollection, get, list, patch, update, watch
• componentdefinitions: create, delete, deletecollection, get, list, patch, update, watch
• componentdefinitions/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• componentdefinitions/status: create, delete, deletecollection, get, list, patch, update, watch
• components: create, delete, deletecollection, get, list, patch, update, watch
• components/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• components/status: create, delete, deletecollection, get, list, patch, update, watch
• componentversions: create, delete, deletecollection, get, list, patch, update, watch
• componentversions/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• componentversions/status: create, delete, deletecollection, get, list, patch, update, watch
• configconstraints: create, delete, get, list, patch, update, watch
• configconstraints/status: create, delete, get, list, patch, update, watch
• rollouts: create, delete, deletecollection, get, list, patch, update, watch
• rollouts/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• rollouts/status: create, delete, deletecollection, get, list, patch, update, watch
• servicedescriptors: create, delete, deletecollection, get, list, patch, update, watch
• servicedescriptors/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• servicedescriptors/status: create, delete, deletecollection, get, list, patch, update, watch
• shardingdefinitions: create, delete, deletecollection, get, list, patch, update, watch
• shardingdefinitions/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• shardingdefinitions/status: create, delete, deletecollection, get, list, patch, update, watch
• sidecardefinitions: create, delete, deletecollection, get, list, patch, update, watch
• sidecardefinitions/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• sidecardefinitions/status: create, delete, deletecollection, get, list, patch, update, watch

dataprotection.kubeblocks.io

• actionsets: create, delete, deletecollection, get, list, patch, update, watch
• actionsets/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• actionsets/status: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicies: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicies/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicies/status: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicytemplates: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicytemplates/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• backuppolicytemplates/status: create, delete, deletecollection, get, list, patch, update, watch
• backuprepos: create, delete, deletecollection, get, list, patch, update, watch
• backuprepos/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• backuprepos/status: create, delete, deletecollection, get, list, patch, update, watch
• backups: create, delete, deletecollection, get, list, patch, update, watch
• backups/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• backups/status: create, delete, deletecollection, get, list, patch, update, watch
• backupschedules: create, delete, deletecollection, get, list, patch, update, watch
• backupschedules/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• backupschedules/status: create, delete, deletecollection, get, list, patch, update, watch
• restores: create, delete, deletecollection, get, list, patch, update, watch
• restores/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• restores/status: create, delete, deletecollection, get, list, patch, update, watch
• storageproviders: create, delete, deletecollection, get, list, patch, update, watch
• storageproviders/finalizers: create, delete, deletecollection, get, list, patch, update, watch
• storageproviders/status: create, delete, deletecollection, get, list, patch, update, watch

experimental.kubeblocks.io

• nodecountscalers: create, delete, get, list, patch, update, watch
• nodecountscalers/finalizers: create, delete, get, list, patch, update, watch
• nodecountscalers/status: create, delete, get, list, patch, update, watch

extensions.kubeblocks.io

• addons: create, delete, get, list, patch, update, watch
• addons/finalizers: create, delete, get, list, patch, update, watch
• addons/status: create, delete, get, list, patch, update, watch

operations.kubeblocks.io

• opsdefinitions: create, delete, get, list, patch, update, watch
• opsdefinitions/finalizers: create, delete, get, list, patch, update, watch
• opsdefinitions/status: create, delete, get, list, patch, update, watch
• opsrequests: create, delete, get, list, patch, update, watch
• opsrequests/finalizers: create, delete, get, list, patch, update, watch
• opsrequests/status: create, delete, get, list, patch, update, watch

parameters.kubeblocks.io

• componentparameters: create, delete, get, list, patch, update, watch
• componentparameters/finalizers: create, delete, get, list, patch, update, watch
• componentparameters/status: create, delete, get, list, patch, update, watch
• paramconfigrenderers: create, delete, get, list, patch, update, watch
• paramconfigrenderers/finalizers: create, delete, get, list, patch, update, watch
• paramconfigrenderers/status: create, delete, get, list, patch, update, watch
• parameters: create, delete, get, list, patch, update, watch
• parameters/finalizers: create, delete, get, list, patch, update, watch
• parameters/status: create, delete, get, list, patch, update, watch
• parametersdefinitions: create, delete, get, list, patch, update, watch
• parametersdefinitions/finalizers: create, delete, get, list, patch, update, watch
• parametersdefinitions/status: create, delete, get, list, patch, update, watch

trace.kubeblocks.io

• reconciliationtraces: create, delete, get, list, patch, update, watch
• reconciliationtraces/finalizers: create, delete, get, list, patch, update, watch
• reconciliationtraces/status: create, delete, get, list, patch, update, watch

workloads.kubeblocks.io

• instancesets: create, delete, get, list, patch, update, watch
• instancesets/finalizers: create, delete, get, list, patch, update, watch
• instancesets/status: create, delete, get, list, patch, update, watch

Additional Permissions for Different Configurations

webhooks.conversionEnabled=true

Additional permissions required:

apiextensions.k8s.io

• customresourcedefinitions: create, get, list, patch, update, watch

apps

• deployments: create, delete, patch, update
• deployments/status: get

rbac.enabled=true

Additional permissions required:

Core API Group

• endpoints: create, delete, get, list, patch, update, watch
• serviceaccounts/finalizers: update
• serviceaccounts/status: patch, update

rbac.authorization.k8s.io

• clusterrolebindings: create, delete, get, list, patch, update
• clusterrolebindings/finalizers: update
• clusterrolebindings/status: get, patch, update
• rolebindings/finalizers: update
• rolebindings/status: patch, update

[apecloud-bot]

Auto Cherry-pick Instructions

Usage:
  - /nopick: Not auto cherry-pick when PR merged.
  - /pick: release-x.x [release-x.x]: Auto cherry-pick to the specified branch when PR merged.

Example:
  - /nopick
  - /pick release-1.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.99%. Comparing base (65b4a2d) to head (c00e83c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9570      +/-   ##
==========================================
+ Coverage   59.90%   59.99%   +0.09%     
==========================================
  Files         518      518              
  Lines       56606    56607       +1     
==========================================
+ Hits        33908    33962      +54     
+ Misses      19649    19605      -44     
+ Partials     3049     3040       -9     

Flag	Coverage Δ
unittests	59.99% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldming]

/approve

[apecloud-bot]

/cherry-pick release-0.9

[apecloud-bot]

/cherry-pick release-1.0

[apecloud-bot]

🤖 says: cherry pick action finished successfully 🎉!
See: https://github.com/apecloud/kubeblocks/actions/runs/17144336961

[apecloud-bot]

🤖 says: cherry pick action finished successfully 🎉!
See: https://github.com/apecloud/kubeblocks/actions/runs/17144336629