Skip to content

chore: Describe RBAC rules, remove unnecessary rules#129

Merged
NickLarsenNZ merged 13 commits intomainfrom
chore/rbac-review
Apr 7, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#129
NickLarsenNZ merged 13 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files

Removed permissions (operator role)

Resource Verb(s) removed Reason
endpoints create, delete, get, list, patch, update, watch Never managed by the operator. Kubernetes auto-creates Endpoints for Services; the operator never creates Endpoints objects directly.
pods create, delete, get, list, patch, update, watch Never managed directly. StatefulSets implicitly create pods — the operator only creates the StatefulSet.
configmaps update client.update() (HTTP PUT) is never called. All writes use client.apply_patch() (SSA = HTTP PATCH).
serviceaccounts update Same reason as above.
services update Same reason as above.
rolebindings update Same reason as above.
statefulsets update Same reason as above.
poddisruptionbudgets update Same reason as above.
opensearchclusters patch The operator never SSA-patches the primary CRD object. The spec is user-owned; only the status subresource is written (covered by the separate opensearchclusters/status rule).
nodes list, watch Not used for cluster domain lookup
customresourcedefinitions get Not needed for CRD maintenance

Removed permissions (product role)

Resource Verb(s) removed Reason
events create, patch The operator manages events, not the product
configmaps, secrets, serviceaccounts get Not used, appears to be from copy/paste

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
17 tasks
NickLarsenNZ

This comment was marked as resolved.

Sign in to view

@NickLarsenNZ
chore: Add missing comment on rule
4f152ce
@NickLarsenNZ
chore: Remove the get for customresourcedefinitions for the operator …
18e3988 
…clusterrole
@NickLarsenNZ
chore: Remove the nodes list/watch rule for the operator clusterrole
30f1b19
@NickLarsenNZ
chore: Remove the configmaps/secrets/serviceaccounts get rule for the…
c672fbb 
… product clusterrole
@NickLarsenNZ
chore: Always allow customresourcedefinitions list/watch.
0970763 
Required for startup condition regardless of CRD maintenance
@NickLarsenNZ
fix: Gate the openshift rules
6121eba
@NickLarsenNZ
chore: Simplify RBAC rule comments
833009b
@NickLarsenNZ
chore: Remove the events.k8s.io rule from the product ClusterRole unl…
e9090cf 
…ess the products actually emit Kubernetes events
@NickLarsenNZ
chore: Group rbac.authorization.k8s.io rules together
6479f5b
@NickLarsenNZ
chore: Split the roles.yaml into separate files for clusterrole-opera…
02af321 
…tor.yaml and clusterrole-product.yaml
@NickLarsenNZ
chore: Fix comment
35a0839
@NickLarsenNZ NickLarsenNZ self-assigned this Apr 2, 2026
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 2, 2026 

--- PASS: kuttl/harness/ldap_opensearch-3.4.0_opensearch_home-_stackable_opensearch (126.08s)
--- PASS: kuttl/harness/security-config_opensearch-3.1.0 (166.31s)
--- PASS: kuttl/harness/ldap_opensearch-3.1.0_opensearch_home-_stackable_opensearch (68.61s)
--- PASS: kuttl/harness/security-disabled_opensearch-3.4.0_opensearch_home-_stackable_opensearch (55.26s)
--- PASS: kuttl/harness/security-disabled_opensearch-3.1.0_opensearch_home-_stackable_opensearch (45.18s)
--- PASS: kuttl/harness/backup-restore_opensearch-3.4.0_s3-use-tls-true_release-0.0.0-dev (188.46s)
--- PASS: kuttl/harness/backup-restore_opensearch-3.1.0_s3-use-tls-true_release-0.0.0-dev (168.73s)
--- PASS: kuttl/harness/logging_opensearch-3.4.0 (77.54s)
--- PASS: kuttl/harness/logging_opensearch-3.1.0 (66.85s)
--- PASS: kuttl/harness/smoke_opensearch-3.4.0_opensearch_home-_stackable_opensearch_server-use-tls-true (70.28s)
--- PASS: kuttl/harness/smoke_opensearch-3.4.0_opensearch_home-_stackable_opensearch_server-use-tls-false (69.23s)
--- PASS: kuttl/harness/smoke_opensearch-3.1.0_opensearch_home-_stackable_opensearch_server-use-tls-true (69.66s)
--- PASS: kuttl/harness/smoke_opensearch-3.1.0_opensearch_home-_stackable_opensearch_server-use-tls-false (132.85s)
--- PASS: kuttl/harness/opensearch-dashboards_opensearch-3.4.0_opensearch_home-_stackable_opensearch_server-use-tls-true_release-0.0.0-dev (172.94s)
--- PASS: kuttl/harness/opensearch-dashboards_opensearch-3.4.0_opensearch_home-_stackable_opensearch_server-use-tls-false_release-0.0.0-dev (132.96s)
--- PASS: kuttl/harness/opensearch-dashboards_opensearch-3.1.0_opensearch_home-_stackable_opensearch_server-use-tls-true_release-0.0.0-dev (163.13s)
--- PASS: kuttl/harness/opensearch-dashboards_opensearch-3.1.0_opensearch_home-_stackable_opensearch_server-use-tls-false_release-0.0.0-dev (129.97s)
--- PASS: kuttl/harness/external-access_opensearch-3.4.0_opensearch_home-_stackable_opensearch (56.63s)
--- PASS: kuttl/harness/external-access_opensearch-3.1.0_opensearch_home-_stackable_opensearch (47.54s)
--- PASS: kuttl/harness/metrics_opensearch-3.4.0 (91.75s)
--- PASS: kuttl/harness/metrics_opensearch-3.1.0 (105.56s)
--- PASS: kuttl/harness/security-config_opensearch-3.4.0 (166.22s)

@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 2, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 2, 2026 16:49
xeniape
xeniape approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xeniape xeniape left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question, otherwise LGTM

@xeniape xeniape moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 7, 2026
@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 7, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 7, 2026
Merged via the queue into main with commit afebb2b Apr 7, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 7, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xeniape xeniape xeniape approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @xeniape