Skip to content

chore: Describe RBAC rules, remove unnecessary rules #916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
NickLarsenNZ wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

chore: Describe RBAC rules, remove unnecessary rules #916

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f54bfed
chore: Describe RBAC rules, remove unnecessary rules
NickLarsenNZ Mar 26, 2026
6a4b473
chore: Update changelog
NickLarsenNZ Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.

## [Unreleased]

- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#916]).

[#916]: https://github.com/stackabletech/nifi-operator/pull/916

## [26.3.0] - 2026-03-16

## [26.3.0-rc1] - 2026-03-16
Expand Down
70 changes: 46 additions & 24 deletions deploy/helm/nifi-operator/templates/roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,37 +5,55 @@ metadata:
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
# For automatic cluster domain detection
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- get
# Manage core workload resources created per NifiCluster.
# All resources are applied via Server-Side Apply (create + patch), fetched when
# reconciliation is paused (get), and tracked for orphan cleanup (list + delete).
# configmaps: rolegroup configuration; watched by the controller via .owns()/.watches()
# services: rolegroup headless/metrics services and optional reporting-task service;
# watched by the controller via .owns()
- apiGroups:
- ""
resources:
- pods
- configmaps
- services
- endpoints
- secrets
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# serviceaccounts: one ServiceAccount per NifiCluster (built by build_rbac_resources);
# applied via SSA + orphan cleanup; not watched by the controller
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
# secrets: sensitive-properties key and (when OIDC) admin-password secret;
# looked up with get_opt and created with client.create() — not tracked by
# cluster_resources, so no list/delete needed
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
# rolebindings: one RoleBinding per NifiCluster (built by build_rbac_resources);
# applied via SSA + orphan cleanup; not watched by the controller
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand All @@ -46,20 +64,21 @@ rules:
- get
- list
- patch
- update
- watch
# statefulsets: one StatefulSet per role group; applied via SSA + orphan cleanup;
# watched by the controller via .owns()
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- create
- delete
- get
- list
- patch
- update
- watch
# jobs: optional reporting-task Job created when spec.clusterConfig.createReportingTaskJob
# is enabled (NiFi 1.x only); applied via SSA + orphan cleanup; not watched by the controller
- apiGroups:
- batch
resources:
Expand All @@ -70,8 +89,8 @@ rules:
- get
- list
- patch
- update
- watch
# poddisruptionbudgets: one PDB per NifiCluster role (when pdb.enabled);
# applied via SSA + orphan cleanup; not watched by the controller
- apiGroups:
- policy
resources:
Expand All @@ -82,8 +101,6 @@ rules:
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand All @@ -99,39 +116,43 @@ rules:
- list
- watch
{{- end }}
# For reporting controller reconciliation results as Kubernetes Events
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- patch
# listeners: one Listener per NifiCluster role (via build_group_listener);
# applied via SSA + orphan cleanup; not watched by the controller
- apiGroups:
- listeners.stackable.tech
resources:
- listeners
verbs:
- create
- delete
- get
- list
- watch
- patch
- create
- delete
# Primary CRD: list + watch for the controller, get for direct lookups
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters
verbs:
- get
- list
- patch
- watch
# Status subresource: patched via client.apply_patch_status() after each reconciliation
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters/status
verbs:
- patch
# AuthenticationClass: read for resolving authentication configuration
- apiGroups:
- authentication.stackable.tech
resources:
Expand All @@ -140,6 +161,7 @@ rules:
- get
- list
- watch
# Required to bind the product ClusterRole to per-cluster ServiceAccounts
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand Down
Loading