Skip to content

chore: Describe RBAC rules, remove unnecessary rules#745

Merged
NickLarsenNZ merged 9 commits intomainfrom
chore/rbac-review
Apr 2, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#745
NickLarsenNZ merged 9 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files

Explanation

Resources and Verbs Removal info Reason
pods entire rule StatefulSets create pods; the operator never manages Pod objects directly, and pods are not in delete_orphaned_resources
endpoints entire rule Auto-created by Kubernetes for Services; never managed directly by the operator
listeners.stackable.tech/listeners entire rule (get) No client.get::<Listener>() call exists in the codebase; listener PVCs are embedded in StatefulSet volume claim templates -- the ListenerOperatorVolumeSourceBuilder is a pure struct builder making no API calls
update (all resources) verb removed everywhere SSA uses PATCH (create + patch); there are no client.update() / api.replace() calls anywhere in the operator
watch on serviceaccounts verb removed ServiceAccounts are not watched via .owns() or .watches() in main.rs
watch on rolebindings verb removed Same reason
watch on poddisruptionbudgets verb removed Same reason
patch on hbaseclusters verb removed The operator only writes hbaseclusters/status (via apply_patch_status()), covered by the separate /status subresource rule
create, update for events entire rule For the product ClusterRole (the operator handles this)
get for configmaps, secrets, serviceaccounts entire rule Not needed by the product pods
get for customresourcedefinitions one verb Get is never used

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
17 tasks
NickLarsenNZ
NickLarsenNZ commented Mar 27, 2026
View reviewed changes
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Mar 31, 2026

Tests pass (eventually)

--- PASS: kuttl/harness/shutdown_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (514.94s)
--- PASS: kuttl/harness/omid_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false_omid-1.1.3 (321.41s)
--- PASS: kuttl/harness/omid_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false_omid-1.1.3 (323.50s)
--- PASS: kuttl/harness/shutdown_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (550.04s)
--- PASS: kuttl/harness/smoke_hbase-2.6.3_hdfs-3.4.2_zookeeper-3.9.4_listener-class-external-unstable_openshift-false (448.29s)
--- PASS: kuttl/harness/cluster-operation_hbase-latest-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (284.24s)
--- PASS: kuttl/harness/external-access_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (247.59s)
--- PASS: kuttl/harness/external-access_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (255.01s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-cluster-internal_kerberos-realm-CLUSTER.LOCAL_kerberos-backend-mit_openshift-false (494.81s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-cluster-internal_kerberos-realm-PROD.MYCORP_kerberos-backend-mit_openshift-false (486.83s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-external-unstable_kerberos-realm-CLUSTER.LOCAL_kerberos-backend-mit_openshift-false (497.88s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-external-unstable_kerberos-realm-PROD.MYCORP_kerberos-backend-mit_openshift-false (486.32s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-cluster-internal_kerberos-realm-CLUSTER.LOCAL_kerberos-backend-mit_openshift-false (538.62s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-cluster-internal_kerberos-realm-PROD.MYCORP_kerberos-backend-mit_openshift-false (498.69s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-external-unstable_kerberos-realm-CLUSTER.LOCAL_kerberos-backend-mit_openshift-false (528.18s)
--- PASS: kuttl/harness/kerberos_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_listener-class-external-unstable_kerberos-realm-PROD.MYCORP_kerberos-backend-mit_openshift-false (491.04s)
--- PASS: kuttl/harness/logging_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (264.06s)
--- PASS: kuttl/harness/logging_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (267.47s)
--- PASS: kuttl/harness/opa_hbase-opa-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_opa-1.12.3_openshift-false (407.49s)
--- PASS: kuttl/harness/orphaned_resources_hbase-latest-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (330.48s)
--- PASS: kuttl/harness/overrides_hbase-latest-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (222.63s)
--- PASS: kuttl/harness/profiling_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (329.12s)
--- PASS: kuttl/harness/profiling_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (249.84s)
--- PASS: kuttl/harness/resources_hbase-latest-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (230.45s)
--- PASS: kuttl/harness/smoke_hbase-2.6.3_hdfs-3.4.2_zookeeper-3.9.4_listener-class-cluster-internal_openshift-false (353.59s)
--- PASS: kuttl/harness/smoke_hbase-2.6.4_hdfs-3.4.2_zookeeper-3.9.4_listener-class-cluster-internal_openshift-false (524.57s)
--- PASS: kuttl/harness/smoke_hbase-2.6.4_hdfs-3.4.2_zookeeper-3.9.4_listener-class-external-unstable_openshift-false (512.43s)
--- PASS: kuttl/harness/snapshot-export_hbase-2.6.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (288.37s)
--- PASS: kuttl/harness/snapshot-export_hbase-2.6.4_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_openshift-false (305.86s)

NickLarsenNZ
NickLarsenNZ commented Mar 31, 2026
View reviewed changes
@NickLarsenNZ
chore: Remove superfluous permissions from the product clusterrole
1c19b5f 
Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
@NickLarsenNZ NickLarsenNZ self-assigned this Mar 31, 2026
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Mar 31, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review March 31, 2026 09:36
@Techassi Techassi self-requested a review April 1, 2026 13:54
@Techassi Techassi moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 1, 2026
Techassi
Techassi reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Techassi Techassi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise.

@NickLarsenNZ NickLarsenNZ requested a review from Techassi April 2, 2026 07:59
@NickLarsenNZ
Apply suggestions from code review
ce8e316 
Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
@NickLarsenNZ NickLarsenNZ enabled auto-merge April 2, 2026 08:37
@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 2, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 2, 2026
Merged via the queue into main with commit dadbb34 Apr 2, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 2, 2026 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Techassi Techassi Techassi approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @Techassi