Skip to content

chore: Describe RBAC rules, remove unnecessary rules#412

Merged
NickLarsenNZ merged 9 commits intomainfrom
chore/rbac-review
Apr 9, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#412
NickLarsenNZ merged 9 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files No product for core operator

Operator ClusterRole - removed rules/verbs

  • nodes resource removed from the core API group rule - the operator only needs nodes/proxy (for cluster domain detection), not direct access to node objects.
  • get verb removed from pods, configmaps, secrets - the restart controllers use list + watch only; no individual get calls are made.
  • get verb removed from statefulsets - Server-Side Apply (patch) does not require a preceding get, and the controller uses list + watch.
  • get verb removed from customresourcedefinitions - the operator only needs create + patch to maintain the CRD.

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
18 tasks
NickLarsenNZ
NickLarsenNZ commented Apr 2, 2026
View reviewed changes
NickLarsenNZ and others added 4 commits April 2, 2026 10:05
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 9, 2026 

--- PASS: kuttl/harness/restarter_openshift-false (20.55s)
--- PASS: kuttl/harness/restarter-no-unneeded-restart_openshift-false (21.85s)

@NickLarsenNZ NickLarsenNZ self-assigned this Apr 9, 2026
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 9, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 9, 2026 07:07
@razvan razvan self-requested a review April 9, 2026 09:39
@razvan razvan moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 9, 2026
razvan
razvan approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@razvan razvan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 9, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 9, 2026
Merged via the queue into main with commit dc4d0c8 Apr 9, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 9, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@razvan razvan razvan approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @razvan