Skip to content

Commit 6a1b062

Browse files
authored
chore: Describe RBAC rules, remove unnecessary rules (#770)
* chore: Describe RBAC rules, remove unnecessary rules * chore: Update changelog * chore: Remove unused customresourcedefinitions get for the operator clusterrole * fix: Always allow customresourcedefinitions list/watch, else operator startup fails * chore: Improve comments on rules, add missing comments * chore: Split the clusterroles between operator and product * chore: Remove superfluous permissions from the product clusterrole * chore: Simplify comments * chore: Remove redundant rules (pods get/list already covered by the "nodes" clusterrole * chore: Remove unused permissions from the product clusterrole * chore(nix): Update crate hashes * chore: Restore permissions that are needed by the topology provider * fix: Allow clusterroles bind for the operator on the nodes clusterrole too * Apply suggestions from code review Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
1 parent a634d52 commit 6a1b062

File tree

5 files changed

+134
-135
lines changed

5 files changed

+134
-135
lines changed

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
44

55
## [Unreleased]
66

7+
### Changed
8+
9+
- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#770]).
10+
11+
[#770]: https://github.com/stackabletech/hdfs-operator/pull/770
12+
713
## [26.3.0] - 2026-03-16
814

915
## [26.3.0-rc1] - 2026-03-16

Cargo.nix

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

crate-hashes.json

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

deploy/helm/hdfs-operator/templates/roles.yaml renamed to deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml

Lines changed: 35 additions & 117 deletions
Original file line numberDiff line numberDiff line change
@@ -6,74 +6,63 @@ metadata:
66
labels:
77
{{- include "operator.labels" . | nindent 4 }}
88
rules:
9-
- apiGroups:
10-
- ""
11-
resources:
12-
- nodes
13-
verbs:
14-
- list
15-
- watch
16-
- get
17-
# For automatic cluster domain detection
9+
# For automatic cluster domain detection (reads kubelet config via the nodes/proxy API).
1810
- apiGroups:
1911
- ""
2012
resources:
2113
- nodes/proxy
2214
verbs:
2315
- get
16+
# Manage core workload resources created per HdfsCluster.
17+
# All resources are applied via Server-Side Apply (create + patch) and tracked for
18+
# orphan cleanup (list + delete).
2419
- apiGroups:
2520
- ""
2621
resources:
27-
- pods
2822
- configmaps
29-
- secrets
3023
- services
31-
- endpoints
32-
- serviceaccounts
3324
verbs:
3425
- create
3526
- delete
3627
- get
3728
- list
3829
- patch
39-
- update
4030
- watch
31+
# serviceaccounts are applied via SSA and tracked for orphan cleanup.
4132
- apiGroups:
42-
- rbac.authorization.k8s.io
33+
- ""
4334
resources:
44-
- rolebindings
35+
- serviceaccounts
4536
verbs:
4637
- create
4738
- delete
4839
- get
4940
- list
5041
- patch
51-
- update
52-
- watch
42+
# rolebindings are applied via SSA and tracked for orphan cleanup.
5343
- apiGroups:
54-
- apps
44+
- rbac.authorization.k8s.io
5545
resources:
56-
- statefulsets
46+
- rolebindings
5747
verbs:
58-
- get
5948
- create
6049
- delete
50+
- get
6151
- list
6252
- patch
63-
- update
64-
- watch
53+
# statefulsets are applied via SSA, tracked for orphan cleanup.
6554
- apiGroups:
66-
- batch
55+
- apps
6756
resources:
68-
- jobs
57+
- statefulsets
6958
verbs:
7059
- create
7160
- delete
7261
- get
7362
- list
7463
- patch
75-
- update
7664
- watch
65+
# poddisruptionbudgets are applied via SSA and tracked for orphan cleanup.
7766
- apiGroups:
7867
- policy
7968
resources:
@@ -84,72 +73,73 @@ rules:
8473
- get
8574
- list
8675
- patch
87-
- update
88-
- watch
76+
# Required for maintaining the CRDs within the operator (including the conversion webhook info).
77+
# Also for the startup condition check before the controller can run.
8978
- apiGroups:
9079
- apiextensions.k8s.io
9180
resources:
9281
- customresourcedefinitions
9382
verbs:
94-
- get
9583
# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
9684
# generated certificate in the conversion webhook.
9785
{{- if .Values.maintenance.customResourceDefinitions.maintain }}
9886
- create
9987
- patch
88+
{{- end }}
10089
# Required for startup condition
10190
- list
10291
- watch
103-
{{- end }}
92+
# Required to report reconciliation results and warnings back to the HdfsCluster object.
10493
- apiGroups:
10594
- events.k8s.io
10695
resources:
10796
- events
10897
verbs:
10998
- create
11099
- patch
100+
# Read listener addresses to build the discovery ConfigMap for downstream clients.
101+
# Listeners are managed by the listener-operator; this operator only reads them.
111102
- apiGroups:
112103
- listeners.stackable.tech
113104
resources:
114105
- listeners
115106
verbs:
116107
- get
117-
- list
118-
- apiGroups:
119-
- ""
120-
resources:
121-
- endpoints
122-
verbs:
123-
- get
124-
- list
108+
# Watch HdfsClusters for reconciliation
125109
- apiGroups:
126110
- {{ include "operator.name" . }}.stackable.tech
127111
resources:
128112
- {{ include "operator.name" . }}clusters
129113
verbs:
130114
- get
131115
- list
132-
- patch
133116
- watch
117+
# Status subresource: updated at the end of every reconciliation.
134118
- apiGroups:
135119
- {{ include "operator.name" . }}.stackable.tech
136120
resources:
137121
- {{ include "operator.name" . }}clusters/status
138122
verbs:
139123
- patch
124+
# Manage the hdfs-clusterrolebinding-nodes ClusterRoleBinding via Server-Side Apply.
125+
# This binding grants the HDFS product pods (topology provider) access to node and pod
126+
# information for rack awareness. Scoped to the specific ClusterRoleBinding by name.
140127
- apiGroups:
141128
- rbac.authorization.k8s.io
142129
resources:
143130
- clusterrolebindings
144131
resourceNames:
145132
- {{ include "operator.name" . }}-clusterrolebinding-nodes
146133
verbs:
147-
- patch
148-
- get
149-
- update
150-
- list
151-
- watch
152134
- create
135+
- patch
136+
# Allow binding the product ClusterRoles:
137+
# - hdfs-clusterrole: referenced by per-cluster RoleBindings created by the operator
138+
# - hdfs-clusterrole-nodes: referenced by the shared hdfs-clusterrolebinding-nodes
139+
# ClusterRoleBinding managed by the operator. The bind verb is required because the
140+
# operator itself does not hold all permissions that hdfs-clusterrole-nodes grants
141+
# (nodes, endpoints, pods, listeners), so Kubernetes would otherwise reject the
142+
# ClusterRoleBinding patch as a privilege escalation.
153143
- apiGroups:
154144
- rbac.authorization.k8s.io
155145
resources:
@@ -158,76 +148,4 @@ rules:
158148
- bind
159149
resourceNames:
160150
- {{ include "operator.name" . }}-clusterrole
161-
---
162-
apiVersion: rbac.authorization.k8s.io/v1
163-
kind: ClusterRole
164-
metadata:
165-
name: {{ include "operator.name" . }}-clusterrole
166-
labels:
167-
{{- include "operator.labels" . | nindent 4 }}
168-
rules:
169-
- apiGroups:
170-
- ""
171-
resources:
172-
- configmaps
173-
- secrets
174-
- serviceaccounts
175-
- pods
176-
verbs:
177-
- get
178-
- apiGroups:
179-
- ""
180-
resources:
181-
- pods
182-
verbs:
183-
- list
184-
- apiGroups:
185-
- events.k8s.io
186-
resources:
187-
- events
188-
verbs:
189-
- create
190-
- patch
191-
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
192-
- apiGroups:
193-
- security.openshift.io
194-
resources:
195-
- securitycontextconstraints
196-
resourceNames:
197-
- nonroot-v2
198-
verbs:
199-
- use
200-
{{ end }}
201-
---
202-
apiVersion: rbac.authorization.k8s.io/v1
203-
kind: ClusterRole
204-
metadata:
205-
name: {{ include "operator.name" . }}-clusterrole-nodes
206-
labels:
207-
{{- include "operator.labels" . | nindent 4 }}
208-
rules:
209-
- apiGroups:
210-
- ""
211-
resources:
212-
- pods
213-
- nodes
214-
- endpoints
215-
verbs:
216-
- get
217-
- list
218-
# needed for pod informer
219-
- watch
220-
- apiGroups:
221-
- listeners.stackable.tech
222-
resources:
223-
- listeners
224-
verbs:
225-
- get
226-
- list
227-
# needed to query the crd version (v1alpha1 etc.) before fetching listeners
228-
- apiGroups:
229-
- apiextensions.k8s.io
230-
resources:
231-
- customresourcedefinitions
232-
verbs:
233-
- get
151+
- {{ include "operator.name" . }}-clusterrole-nodes

0 commit comments

Comments
 (0)