Skip to content

Commit bf667f1

Browse files
authored
chore: Describe RBAC rules, remove unnecessary rules (#953)
* chore: Describe RBAC rules, remove unnecessary rules * chore: Update changelog * chore: Remove the get for customresourcedefinitions for the operator clusterrole. * chore: Remove the nodes list/watch rule for the operator clusterrole. * chore: Add comment to the rule that was missing one * chore: Remove the configmaps/secrets/serviceaccounts/services get rule for the product clusterrole * fix: Always allow list/watch on customresourcedefinitions for the operator Note: required by the startup condition regardless of crd maintenance * chore: Simplify RBAC rule descriptions * chore: Remove the events.k8s.io rule from the product ClusterRole. The operator manages the Kubernetes events. * chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole close to each other * chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml * chore(nix): Update crate hashes * Update CHANGELOG.md
1 parent 682750c commit bf667f1

5 files changed

Lines changed: 70 additions & 93 deletions

File tree

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
44

55
## [Unreleased]
66

7+
### Changed
8+
9+
- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#953]).
10+
11+
[#953]: https://github.com/stackabletech/kafka-operator/pull/953
12+
713
## [26.3.0] - 2026-03-16
814

915
## [26.3.0-rc1] - 2026-03-16

Cargo.nix

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

crate-hashes.json

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

deploy/helm/kafka-operator/templates/roles.yaml renamed to deploy/helm/kafka-operator/templates/clusterrole-operator.yaml

Lines changed: 25 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -6,37 +6,30 @@ metadata:
66
labels:
77
{{- include "operator.labels" . | nindent 4 }}
88
rules:
9-
- apiGroups:
10-
- ""
11-
resources:
12-
- nodes
13-
verbs:
14-
- list
15-
- watch
169
# For automatic cluster domain detection
1710
- apiGroups:
1811
- ""
1912
resources:
2013
- nodes/proxy
2114
verbs:
2215
- get
16+
# Manage core namespaced resources created per KafkaCluster.
17+
# Applied via SSA and tracked for orphan cleanup.
2318
- apiGroups:
2419
- ""
2520
resources:
26-
- pods
2721
- configmaps
28-
- secrets
2922
- services
30-
- endpoints
3123
- serviceaccounts
3224
verbs:
3325
- create
3426
- delete
3527
- get
3628
- list
3729
- patch
38-
- update
3930
- watch
31+
# RoleBinding created per KafkaCluster to bind the product ClusterRole to the workload
32+
# ServiceAccount. Applied via SSA and tracked for orphan cleanup.
4033
- apiGroups:
4134
- rbac.authorization.k8s.io
4235
resources:
@@ -47,32 +40,30 @@ rules:
4740
- get
4841
- list
4942
- patch
50-
- update
5143
- watch
44+
# Required to bind the product ClusterRole to the per-cluster ServiceAccount.
5245
- apiGroups:
53-
- apps
46+
- rbac.authorization.k8s.io
5447
resources:
55-
- statefulsets
48+
- clusterroles
5649
verbs:
57-
- get
58-
- create
59-
- delete
60-
- list
61-
- patch
62-
- update
63-
- watch
50+
- bind
51+
resourceNames:
52+
- {{ include "operator.name" . }}-clusterrole
53+
# StatefulSet created per role group (broker, KRaft controller). Applied via
54+
# SSA, tracked for orphan cleanup, and owned by the controller.
6455
- apiGroups:
65-
- batch
56+
- apps
6657
resources:
67-
- jobs
58+
- statefulsets
6859
verbs:
6960
- create
7061
- delete
7162
- get
7263
- list
7364
- patch
74-
- update
7565
- watch
66+
# PodDisruptionBudget created per role group. Applied via SSA and tracked for orphan cleanup.
7667
- apiGroups:
7768
- policy
7869
resources:
@@ -83,103 +74,62 @@ rules:
8374
- get
8475
- list
8576
- patch
86-
- update
87-
- watch
77+
# Required for maintaining the CRDs within the operator (including the conversion webhook info).
78+
# Also for the startup condition check before the controller can run.
8879
- apiGroups:
8980
- apiextensions.k8s.io
9081
resources:
9182
- customresourcedefinitions
9283
verbs:
93-
- get
9484
# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
9585
# generated certificate in the conversion webhook.
9686
{{- if .Values.maintenance.customResourceDefinitions.maintain }}
9787
- create
9888
- patch
89+
{{- end }}
9990
# Required for startup condition
10091
- list
10192
- watch
102-
{{- end }}
93+
# Required to report reconciliation results and warnings back to the KafkaCluster object.
10394
- apiGroups:
10495
- events.k8s.io
10596
resources:
10697
- events
10798
verbs:
10899
- create
109100
- patch
101+
# Primary CRD: watched by the controller and read during reconciliation.
110102
- apiGroups:
111103
- {{ include "operator.name" . }}.stackable.tech
112104
resources:
113105
- {{ include "operator.name" . }}clusters
114106
verbs:
115107
- get
116108
- list
117-
- patch
118109
- watch
110+
# Status subresource: updated at the end of every reconciliation.
119111
- apiGroups:
120112
- {{ include "operator.name" . }}.stackable.tech
121113
resources:
122114
- {{ include "operator.name" . }}clusters/status
123115
verbs:
124116
- patch
117+
# Read authentication class configuration referenced in the KafkaCluster spec.
125118
- apiGroups:
126119
- authentication.stackable.tech
127120
resources:
128121
- authenticationclasses
129122
verbs:
130123
- get
131-
- list
132-
- watch
124+
# Listener created per role group. Applied via SSA and tracked for orphan cleanup.
133125
- apiGroups:
134126
- listeners.stackable.tech
135127
resources:
136128
- listeners
137129
verbs:
138-
- get
139-
- list
140-
- watch
141-
- patch
142130
- create
143131
- delete
144-
- apiGroups:
145-
- rbac.authorization.k8s.io
146-
resources:
147-
- clusterroles
148-
verbs:
149-
- bind
150-
resourceNames:
151-
- {{ include "operator.name" . }}-clusterrole
152-
---
153-
apiVersion: rbac.authorization.k8s.io/v1
154-
kind: ClusterRole
155-
metadata:
156-
name: {{ include "operator.name" . }}-clusterrole
157-
labels:
158-
{{- include "operator.labels" . | nindent 4 }}
159-
rules:
160-
- apiGroups:
161-
- ""
162-
resources:
163-
- configmaps
164-
- secrets
165-
- serviceaccounts
166-
- services
167-
verbs:
168132
- get
169-
- apiGroups:
170-
- events.k8s.io
171-
resources:
172-
- events
173-
verbs:
174-
- create
133+
- list
175134
- patch
176-
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
177-
- apiGroups:
178-
- security.openshift.io
179-
resources:
180-
- securitycontextconstraints
181-
resourceNames:
182-
- nonroot-v2
183-
verbs:
184-
- use
185-
{{ end }}
135+
- watch
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
---
2+
# Product ClusterRole: bound (via per KafkaCluster RoleBinding) to the ServiceAccount that Kafka
3+
# workload pods (brokers, KRaft controllers) run as.
4+
apiVersion: rbac.authorization.k8s.io/v1
5+
kind: ClusterRole
6+
metadata:
7+
name: {{ include "operator.name" . }}-clusterrole
8+
labels:
9+
{{- include "operator.labels" . | nindent 4 }}
10+
rules:
11+
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
12+
# On OpenShift, the workload pods must be allowed to use the nonroot-v2 SCC
13+
- apiGroups:
14+
- security.openshift.io
15+
resources:
16+
- securitycontextconstraints
17+
resourceNames:
18+
- nonroot-v2
19+
verbs:
20+
- use
21+
{{ end }}

0 commit comments

Comments
 (0)