Skip to content

chore: Describe RBAC rules, remove unnecessary rules #717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NickLarsenNZ merged 13 commits into from
Apr 9, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules #717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
423b87c
chore: Describe RBAC rules, remove unnecessary rules
NickLarsenNZ Mar 25, 2026
01c8cc9
chore: Update changelog
NickLarsenNZ Mar 25, 2026
e624eb4
Apply suggestions from code review
NickLarsenNZ Apr 2, 2026
9420a0a
chore: Add missing comment on rule
NickLarsenNZ Apr 8, 2026
7119bbc
chore: Remove the get for customresourcedefinitions for the operator …
NickLarsenNZ Apr 8, 2026
a92afa1
chore: Remove the nodes list/watch rule for the operator clusterrole
NickLarsenNZ Apr 8, 2026
744a017
chore: Remove the configmaps/secrets/serviceaccounts get rule for the…
NickLarsenNZ Apr 8, 2026
c934e58
fix: customresourcedefinitions is always required for the startup con…
NickLarsenNZ Apr 8, 2026
19b74ab
chore: Simplify rule comments
NickLarsenNZ Apr 8, 2026
78a7e01
chore: Remove the events.k8s.io rule from the product ClusterRole
NickLarsenNZ Apr 8, 2026
d34841c
chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole …
NickLarsenNZ Apr 8, 2026
4085104
chore: Split the roles.yaml into separate files for clusterrole-opera…
NickLarsenNZ Apr 8, 2026
9e4ad7e
Merge branch 'main' into chore/rbac-review
NickLarsenNZ Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

## [Unreleased]

- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#717]).

[#717]: https://github.com/stackabletech/superset-operator/pull/717

## [26.3.0] - 2026-03-16

## [26.3.0-rc1] - 2026-03-16
Expand Down
115 changes: 47 additions & 68 deletions ...lm/superset-operator/templates/roles.yaml → ...rator/templates/clusterrole-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,38 +6,42 @@ metadata:
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
# For automatic cluster domain detection
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- get
# Manage core namespaced resources created per SupersetCluster.
# All resources are applied via Server-Side Apply (create + patch) and tracked for
# orphan cleanup (list + delete). ReconciliationPaused uses get.
- apiGroups:
- ""
resources:
- pods
- configmaps
- secrets
- services
- endpoints
- serviceaccounts
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# ServiceAccount created per SupersetCluster and per DruidConnection.
# Applied via SSA and tracked for orphan cleanup.
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
# RoleBinding created per SupersetCluster to bind the product ClusterRole to the workload
# ServiceAccount. Applied via SSA and tracked for orphan cleanup.
- apiGroups:
- rbac.authorization.k8s.io
resources:
Expand All @@ -48,32 +52,39 @@ rules:
- get
- list
- patch
- update
- watch
# Required to bind the product ClusterRole to the per-cluster ServiceAccount.
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
resourceNames:
- {{ include "operator.name" . }}-clusterrole
# StatefulSet created per role group. Applied via SSA and tracked for orphan cleanup.
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- create
- delete
- get
- list
- patch
- update
- watch
# Job created per DruidConnection to run the datasource import task.
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup.
- apiGroups:
- policy
resources:
Expand All @@ -84,47 +95,55 @@ rules:
- get
- list
- patch
- update
- watch
# Required for maintaining the CRDs within the operator (including the conversion webhook info).
# Also for the startup condition check before the controller can run.
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
# generated certificate in the conversion webhook.
{{- if .Values.maintenance.customResourceDefinitions.maintain }}
- create
- patch
{{- end }}
# Required for startup condition
- list
- watch
{{- end }}
# Required to report reconciliation results and errors back to the SupersetCluster object.
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- patch
Comment thread
razvan marked this conversation as resolved.
# Primary CRDs: SupersetCluster and DruidConnection.
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters
- druidconnections
- druidconnections/status
verbs:
- get
- list
- patch
- watch
# Patch status for SupersetCluster (reports conditions such as Available/Degraded).
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- {{ include "operator.name" . }}clusters/status
verbs:
- patch
# Patch status for DruidConnection (tracks import job progress: Pending/Importing/Ready/Failed).
- apiGroups:
- {{ include "operator.name" . }}.stackable.tech
resources:
- druidconnections/status
verbs:
- patch
# Watch AuthenticationClass resources to react when authentication configuration changes.
- apiGroups:
- authentication.stackable.tech
resources:
Expand All @@ -133,55 +152,15 @@ rules:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
resourceNames:
- {{ include "operator.name" . }}-clusterrole
# Listener created per role group for external access. Applied via SSA and tracked for orphan
# cleanup.
- apiGroups:
- listeners.stackable.tech
resources:
- listeners
verbs:
- get
- list
- watch
- patch
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "operator.name" . }}-clusterrole
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- secrets
- serviceaccounts
verbs:
- get
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- list
- patch
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nonroot-v2
verbs:
- use
{{ end }}
21 changes: 21 additions & 0 deletions deploy/helm/superset-operator/templates/clusterrole-product.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
# Product ClusterRole: bound (via per SupersetCluster RoleBinding) to the ServiceAccount that
# Superset workload pods run as.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "operator.name" . }}-clusterrole
labels:
{{- include "operator.labels" . | nindent 4 }}
rules:
{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
# Required on OpenShift to allow Superset pods to run as a non-root user.
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- nonroot-v2
verbs:
- use
{{ end }}
Loading