Skip to content

chore: Describe RBAC rules, remove unnecessary rules #820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
NickLarsenNZ wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: Describe RBAC rules, remove unnecessary rules #820

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 32 additions & 20 deletions deploy/helm/opa-operator/templates/roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ metadata:
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
# For automatic cluster domain detection (list+watch required by the kube controller runtime)
- apiGroups:
- ""
resources:
Expand All @@ -20,95 +21,102 @@ rules:
- nodes/proxy
verbs:
- get
# Manage core workload resources created per OpaCluster.
# All resources are applied via Server-Side Apply (create + patch) and tracked for
# orphan cleanup (list + delete). The get verb is required by the ReconciliationPaused
# strategy (which calls client.get() instead of apply_patch() when paused).
# Resources watched by the controller also need watch.
# - configmaps: role-group configs and discovery ConfigMaps; watched via .owns()
# - services: role service, per-rolegroup headless and metrics services; watched via .owns()
# - serviceaccounts: per-cluster ServiceAccount for the product workload pods
- apiGroups:
- ""
resources:
- pods
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
- ""
resources:
- rolebindings
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Per-cluster RoleBinding binding the product ClusterRole to the workload ServiceAccount;
# applied via SSA and tracked for orphan cleanup; not watched by the controller.
- apiGroups:
- apps
- rbac.authorization.k8s.io
resources:
- daemonsets
- rolebindings
verbs:
- get
- create
- delete
- get
- list
- patch
- update
- watch
# Per-rolegroup DaemonSet for OPA server pods; applied via SSA, tracked for orphan
# cleanup, and watched via .owns().
- apiGroups:
- batch
- apps
resources:
- jobs
- daemonsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Read the CRD at startup to confirm it is established before starting the controller.
# With maintenance enabled the operator also creates, patches, lists and watches CRDs
# to maintain the CRD (e.g. entering generated certificates into the conversion webhook).
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
# generated certificate in the conversion webhook.
{{- if .Values.maintenance.customResourceDefinitions.maintain }}
- create
- patch
# Required for startup condition
- list
- watch
{{- end }}
# For publishing Kubernetes events from the controller reconciliation loop
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- patch
# Watch and read OpaCluster resources to drive reconciliation
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters
verbs:
- get
- list
- patch
- watch
# Patch OpaCluster status to report conditions back to the user
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters/status
verbs:
- patch
# Allow binding the product ClusterRole to per-cluster ServiceAccounts
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand All @@ -126,6 +134,8 @@ metadata:
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
# OPA workload pods read ConfigMaps (bundle ConfigMaps, product config) and Secrets
# (TLS credentials) and ServiceAccounts (for token projection) at runtime.
- apiGroups:
- ""
resources:
Expand All @@ -136,6 +146,7 @@ rules:
- get
- list
- watch
# OPA workload pods publish Kubernetes events (e.g. from the user-info-fetcher sidecar)
- apiGroups:
- events.k8s.io
resources:
Expand All @@ -144,6 +155,7 @@ rules:
- create
- patch
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
# Allow the workload pods to use the nonroot-v2 SCC on OpenShift
- apiGroups:
- security.openshift.io
resources:
Expand Down
Loading