Skip to content

chore: Describe RBAC rules, remove unnecessary rules#1020

Merged
NickLarsenNZ merged 12 commits intomainfrom
chore/rbac-review
Apr 9, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#1020
NickLarsenNZ merged 12 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files

Operator ClusterRole

  • nodes list/watch - not needed; only nodes/proxy get is required (for cluster domain detection)
  • pods get/list/create/delete/patch/update/watch - operator does not manage Pod objects directly (StatefulSets handle that)
  • secrets get/list/create/delete/patch/update/watch - operator does not create or manage Secrets
  • endpoints get/list/create/delete/patch/update/watch - operator does not manage Endpoints
  • batch/jobs get/list/create/delete/patch/update/watch - operator does not create Jobs
  • update verb on configmaps, services, serviceaccounts, rolebindings, statefulsets, poddisruptionbudgets - not needed; the operator uses Server-Side Apply (patch), not update
  • watch verb on rolebindings, poddisruptionbudgets - operator does not watch these resources
  • get verb on customresourcedefinitions - not needed; operator only needs list/watch (startup condition) and create/patch (CRD maintenance)
  • watch verb on listeners - operator does not watch Listener objects

Product ClusterRole

  • configmaps/secrets/serviceaccounts get - ZooKeeper pods do not read these via the Kubernetes API; configuration is mounted into the container by the kubelet
  • events.k8s.io/events create/patch - ZooKeeper pods do not emit Kubernetes events

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
18 tasks
NickLarsenNZ
NickLarsenNZ commented Apr 2, 2026
View reviewed changes
NickLarsenNZ and others added 8 commits April 2, 2026 10:06
@NickLarsenNZ
Apply suggestions from code review
d040e5c 
Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
@NickLarsenNZ
chore: Add missing rule comment
7e8c1f7
@NickLarsenNZ
chore: Remove the get for customresourcedefinitions for the operator …
3855a6a 
…clusterrole

It is not needed for CRD maintenance nor startup condition
@NickLarsenNZ
chore: Remove the configmaps/secrets/serviceaccounts get rule for the…
615e1ba 
… product clusterrole

Any necessary configmaps/secrets would be mounted. The product pod doesn't communicate with the Kubernetes API
@NickLarsenNZ
fix: customresourcedefinitions list/watch is always required for star…
75cfefa 
…tup condition
@NickLarsenNZ
chore: Simplify the rule comments
6989432
@NickLarsenNZ
chore: Remove the events.k8s.io rule from the product ClusterRole
e892700 
The operator manages events
@NickLarsenNZ
chore: Split the roles.yaml into separate files for clusterrole-opera…
fc97b3c 
…tor.yaml and clusterrole-product.yaml
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 9, 2026 

--- PASS: kuttl/harness/delete-rolegroup_zookeeper-3.9.4_openshift-false (60.92s)
--- PASS: kuttl/harness/smoke_zookeeper-3.9.4_use-server-tls-false_use-client-auth-tls-false_openshift-false (84.75s)
--- PASS: kuttl/harness/logging_zookeeper-3.9.4_openshift-false (71.06s)
--- PASS: kuttl/harness/smoke_zookeeper-3.9.4_use-server-tls-true_use-client-auth-tls-true_openshift-false (104.61s)
--- PASS: kuttl/harness/smoke_zookeeper-3.9.4_use-server-tls-true_use-client-auth-tls-false_openshift-false (96.59s)
--- PASS: kuttl/harness/smoke_zookeeper-3.9.4_use-server-tls-false_use-client-auth-tls-true_openshift-false (103.01s)
--- PASS: kuttl/harness/znode_zookeeper-latest-3.9.4_openshift-false (33.59s)
--- PASS: kuttl/harness/cluster-operation_zookeeper-latest-3.9.4_openshift-false (42.85s)

@NickLarsenNZ NickLarsenNZ self-assigned this Apr 9, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 9, 2026 06:39
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 9, 2026
@Techassi Techassi self-requested a review April 9, 2026 06:59
@Techassi Techassi moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 9, 2026
Techassi
Techassi previously approved these changes Apr 9, 2026
View reviewed changes
@NickLarsenNZ @Techassi
Update deploy/helm/zookeeper-operator/templates/clusterrole-operator.…
7eccdaf 
…yaml

Co-authored-by: Techassi <sascha.lautenschlaeger@stackable.tech>
@NickLarsenNZ NickLarsenNZ requested a review from Techassi April 9, 2026 11:47
@NickLarsenNZ NickLarsenNZ enabled auto-merge April 9, 2026 11:48
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 9, 2026
@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 9, 2026
Merged via the queue into main with commit d7850dd Apr 9, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 9, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Techassi Techassi Techassi approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @Techassi