chore: Describe RBAC rules, remove unnecessary rules (#770)

* chore: Describe RBAC rules, remove unnecessary rules

* chore: Update changelog

* chore: Remove unused customresourcedefinitions get for the operator clusterrole

* fix: Always allow customresourcedefinitions list/watch, else operator startup fails

* chore: Improve comments on rules, add missing comments

* chore: Split the clusterroles between operator and product

* chore: Remove superfluous permissions from the product clusterrole

* chore: Simplify comments

* chore: Remove redundant rules (pods get/list already covered by the "nodes" clusterrole

* chore: Remove unused permissions from the product clusterrole

* chore(nix): Update crate hashes

* chore: Restore permissions that are needed by the topology provider

* fix: Allow clusterroles bind for the operator on the nodes clusterrole too

* Apply suggestions from code review

Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>

Author: NickLarsenNZ

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#770]).
+
+[#770]: https://github.com/stackabletech/hdfs-operator/pull/770
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

Cargo.nix

@@ -6,74 +6,63 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - list
-      - watch
-      - get
-  # For automatic cluster domain detection
+  # For automatic cluster domain detection (reads kubelet config via the nodes/proxy API).
   - apiGroups:
       - ""
     resources:
       - nodes/proxy
     verbs:
       - get
+  # Manage core workload resources created per HdfsCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete).
   - apiGroups:
       - ""
     resources:
-      - pods
       - configmaps
-      - secrets
       - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # serviceaccounts are applied via SSA and tracked for orphan cleanup.
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - ""
     resources:
-      - rolebindings
+      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
-      - watch
+  # rolebindings are applied via SSA and tracked for orphan cleanup.
   - apiGroups:
-      - apps
+      - rbac.authorization.k8s.io
     resources:
-      - statefulsets
+      - rolebindings
     verbs:
-      - get
       - create
       - delete
+      - get
       - list
       - patch
-      - update
-      - watch
+  # statefulsets are applied via SSA, tracked for orphan cleanup.
   - apiGroups:
-      - batch
+      - apps
     resources:
-      - jobs
+      - statefulsets
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # poddisruptionbudgets are applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - policy
     resources:
@@ -84,72 +73,73 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required for maintaining the CRDs within the operator (including the conversion webhook info).
+  # Also for the startup condition check before the controller can run.
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - get
       # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
       # generated certificate in the conversion webhook.
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-      {{- end }}
+  # Required to report reconciliation results and warnings back to the HdfsCluster object.
   - apiGroups:
       - events.k8s.io
     resources:
       - events
     verbs:
       - create
       - patch
+  # Read listener addresses to build the discovery ConfigMap for downstream clients.
+  # Listeners are managed by the listener-operator; this operator only reads them.
   - apiGroups:
       - listeners.stackable.tech
     resources:
       - listeners
     verbs:
       - get
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - list
+  # Watch HdfsClusters for reconciliation
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
     verbs:
       - get
       - list
-      - patch
       - watch
+  # Status subresource: updated at the end of every reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  # Manage the hdfs-clusterrolebinding-nodes ClusterRoleBinding via Server-Side Apply.
+  # This binding grants the HDFS product pods (topology provider) access to node and pod
+  # information for rack awareness. Scoped to the specific ClusterRoleBinding by name.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
       - clusterrolebindings
     resourceNames:
       - {{ include "operator.name" . }}-clusterrolebinding-nodes
     verbs:
-      - patch
-      - get
-      - update
-      - list
-      - watch
       - create
+      - patch
+  # Allow binding the product ClusterRoles:
+  # - hdfs-clusterrole: referenced by per-cluster RoleBindings created by the operator
+  # - hdfs-clusterrole-nodes: referenced by the shared hdfs-clusterrolebinding-nodes
+  #   ClusterRoleBinding managed by the operator. The bind verb is required because the
+  #   operator itself does not hold all permissions that hdfs-clusterrole-nodes grants
+  #   (nodes, endpoints, pods, listeners), so Kubernetes would otherwise reject the
+  #   ClusterRoleBinding patch as a privilege escalation.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -158,76 +148,4 @@ rules:
       - bind
     resourceNames:
       - {{ include "operator.name" . }}-clusterrole
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - serviceaccounts
-      - pods
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - list
-  - apiGroups:
-      - events.k8s.io
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole-nodes
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - nodes
-      - endpoints
-    verbs:
-      - get
-      - list
-      # needed for pod informer
-      - watch
-  - apiGroups:
-      - listeners.stackable.tech
-    resources:
-      - listeners
-    verbs:
-      - get
-      - list
-  # needed to query the crd version (v1alpha1 etc.) before fetching listeners
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
+      - {{ include "operator.name" . }}-clusterrole-nodes