Skip to content

chore: Describe RBAC rules, remove unnecessary rules #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
NickLarsenNZ wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

chore: Describe RBAC rules, remove unnecessary rules #412

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d7ca2ab
chore: Describe RBAC rules, remove unnecessary rules
NickLarsenNZ Mar 25, 2026
bd73246
chore: Update changelog
NickLarsenNZ Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.

## [Unreleased]

### Changed

- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#412]).

[#412]: https://github.com/stackabletech/commons-operator/pull/412

## [26.3.0] - 2026-03-16

## [26.3.0-rc1] - 2026-03-16
Expand Down
22 changes: 17 additions & 5 deletions deploy/helm/commons-operator/templates/roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,52 @@ metadata:
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
# Watch pods to detect expiry annotations and evict them (pod restart controller).
# Watch configmaps and secrets (metadata only) to detect changes that should trigger a
# rolling restart of referencing StatefulSets (StatefulSet restart controller).
# list + watch are sufficient; no individual get calls are made (Controller and
# metadata_watcher use list + watch internally).
- apiGroups:
- ""
resources:
- pods
- configmaps
- secrets
- nodes
verbs:
- get
- list
- watch
# For automatic cluster domain detection
# For automatic cluster domain detection: proxy to the kubelet configz endpoint on the
# operator's own node (name supplied via the downward API) to read the clusterDomain
# setting. Only a direct GET on the named node's proxy subresource is needed - no
# list or watch of nodes is required.
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- get
# Watch StatefulSets labelled restarter.stackable.tech/enabled=true (list + watch) and
# patch their pod template annotations via Server-Side Apply to trigger rolling restarts
# when referenced ConfigMaps or Secrets change (patch). No get needed: SSA does not
# require a preceding get, and the reflector/watcher covers list + watch.
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
- patch # We need to add a label to the StatefulSet
- patch
# Emit Kubernetes events from both the StatefulSet and Pod restart controllers.
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- patch
# Evict pods whose restarter.stackable.tech/expires-at.* annotation timestamp has been
# reached (pod restart controller). Eviction is a create on the pods/eviction subresource.
- apiGroups:
- ""
resources:
Expand Down
Loading