Skip to content

chore: Describe RBAC rules, remove unnecessary rules#869

Open
NickLarsenNZ wants to merge 12 commits intomainfrom
chore/rbac-review
Open

chore: Describe RBAC rules, remove unnecessary rules#869
NickLarsenNZ wants to merge 12 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files

Operator ClusterRole - removed rules/verbs

  • opa.stackable.tech/regorules (entire rule) - OPA Rego rules are not used by the Trino operator
  • nodes list/watch (entire rule) - not needed; only nodes/proxy get is required for cluster domain detection
  • pods from core resources - operator does not manage Pod resources directly (StatefulSets manage pods)
  • endpoints from core resources - not used by the operator
  • batch/jobs (entire rule) - Trino operator does not create Jobs
  • update verb from configmaps, services, serviceaccounts, rolebindings, statefulsets, poddisruptionbudgets - SSA uses patch, not update
  • watch verb from serviceaccounts, rolebindings, poddisruptionbudgets - these resources are not watched by the controller
  • delete/list/watch from secrets - secrets are managed via direct get/apply_patch, not via cluster_resources; no orphan cleanup or watch needed
  • get verb from customresourcedefinitions - not needed (only list/watch for startup, create/patch for maintenance)
  • watch from listeners - listeners are not watched by the controller
  • patch from trinoclusters main resource - only read access needed (get/list/watch); status updates use the /status subresource

Product ClusterRole - removed rules/verbs

  • configmaps/secrets/serviceaccounts get (entire rule) - Trino pods do not need to read these resources directly
  • events.k8s.io/events create/patch (entire rule) - events are emitted by the operator controller, not by the Trino product pods

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
18 tasks
NickLarsenNZ
NickLarsenNZ commented Apr 2, 2026
View reviewed changes
NickLarsenNZ and others added 9 commits April 2, 2026 10:06
@NickLarsenNZ
Apply suggestions from code review
402efce 
Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
@NickLarsenNZ
chore: Add missing rule descriptions
a7961bf
@NickLarsenNZ
chore: Remove the get for customresourcedefinitions for the operator …
a08337d 
…clusterrole

Not needed for CRD maintenance
@NickLarsenNZ
chore: Remove the configmaps/secrets/serviceaccounts get rule for the…
8c1eb4c 
… product clusterrole

Product pods will have necessary  secrets/configmaps mounted and not directly talk to Kubernetes
@NickLarsenNZ
chore: Always allow list/watch for customresourcedefinitions
a241f41 
Required for startup condition
@NickLarsenNZ
chore: Simplify the rule descriptions
b89cc7e
@NickLarsenNZ
chore: Remove the events.k8s.io rule from the product ClusterRole
2d9a858 
The operator takes care of events
@NickLarsenNZ
chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole …
0095c0d 
…close to each other
@NickLarsenNZ
chore: Split the roles.yaml into separate files for clusterrole-opera…
ae58d5a 
…tor.yaml and clusterrole-product.yaml
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 9, 2026 

--- PASS: kuttl/harness/fault-tolerant-execution_trino-479_openshift-false (120.15s)
--- PASS: kuttl/harness/authentication_trino-latest-479_ldap-use-tls-false_openshift-false (163.23s)
--- PASS: kuttl/harness/authentication_trino-latest-479_ldap-use-tls-true_openshift-false (196.25s)
--- PASS: kuttl/harness/client-spooling_trino-latest-479_openshift-false (103.62s)
--- PASS: kuttl/harness/cluster-operation_trino-latest-479_openshift-false (53.52s)
--- PASS: kuttl/harness/fault-tolerant-execution_trino-477_openshift-false (181.15s)
--- PASS: kuttl/harness/listener_trino-477_openshift-false (76.60s)
--- PASS: kuttl/harness/listener_trino-479_openshift-false (74.53s)
--- PASS: kuttl/harness/logging_trino-477_openshift-false (82.18s)
--- PASS: kuttl/harness/logging_trino-479_openshift-false (75.01s)
--- PASS: kuttl/harness/opa-authorization_trino-477_hive-latest-4.2.0_opa-1.12.3_keycloak-25.0.0_openshift-false (771.92s)
--- PASS: kuttl/harness/opa-authorization_trino-479_hive-latest-4.2.0_opa-1.12.3_keycloak-25.0.0_openshift-false (457.96s)
--- PASS: kuttl/harness/orphaned-resources_trino-latest-479_openshift-false (86.65s)
--- PASS: kuttl/harness/resources_trino-latest-479_openshift-false (44.47s)
--- PASS: kuttl/harness/smoke_trino-477_hive-3.1.3_opa-1.12.3_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (465.50s)
--- PASS: kuttl/harness/smoke_trino-477_hive-4.2.0_opa-1.12.3_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (425.50s)
--- PASS: kuttl/harness/smoke_trino-479_hive-3.1.3_opa-1.12.3_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (662.05s)
--- PASS: kuttl/harness/smoke_trino-479_hive-4.2.0_opa-1.12.3_hdfs-3.4.2_zookeeper-3.9.4_openshift-false (336.24s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-false_use-tls-false_use-internal-tls-false_openshift-false (69.65s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-false_use-tls-false_use-internal-tls-true_openshift-false (72.60s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-false_use-tls-true_use-internal-tls-false_openshift-false (67.51s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-false_use-tls-true_use-internal-tls-true_openshift-false (70.14s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-true_use-tls-false_use-internal-tls-false_openshift-false (65.24s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-true_use-tls-false_use-internal-tls-true_openshift-false (70.52s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-true_use-tls-true_use-internal-tls-false_openshift-false (72.22s)
--- PASS: kuttl/harness/tls_trino-latest-479_use-authentication-true_use-tls-true_use-internal-tls-true_openshift-false (76.90s)

@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 9, 2026 05:40
@NickLarsenNZ NickLarsenNZ self-assigned this Apr 9, 2026
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 9, 2026
@razvan razvan self-requested a review April 9, 2026 07:07
@razvan razvan moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@razvan razvan Awaiting requested review from razvan

At least 1 approving review is required to merge this pull request.

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @razvan