Skip to content

chore: Describe RBAC rules, remove unnecessary rules#693

Merged
NickLarsenNZ merged 13 commits intomainfrom
chore/rbac-review
Apr 8, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#693
NickLarsenNZ merged 13 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 26, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files

Permissions removed from operator ClusterRole

Resource Verbs removed Reason
pods (core) all Operator never manages pods directly; StatefulSets create pods
secrets (core) all Operator never creates/manages secrets; DB/TLS/S3 secrets are user-managed and referenced by pods
endpoints (core) all Auto-created by Kubernetes from Services; never managed directly
all resources update SSA uses PATCH (client.apply_patch()); client.update() / api.replace() is never called
serviceaccounts watch Not watched via .owns() or .watches() in main.rs
rolebindings watch Not watched via .owns() or .watches()
poddisruptionbudgets watch Not watched via .owns() or .watches()
listeners watch Not watched via .owns() or .watches()
batch/jobs all Operator never creates Jobs; delete_orphaned_resources silently skips on 403
hiveclusters patch Operator only patches the /status subresource (separate rule); never SSA-applies the main HiveCluster resource
customresourcedefinitions get Not needed for CRD maintenance, nor startup condition
nodes list, watch Not used for cluster domain detection

Permissions removed from operator ClusterRole

Resource Verbs removed Reason
events all The operator manages the events
configmaps, secrets, serviceaccounts all Product pods don't need to requests these (they're mounted).

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 26, 2026
Open
18 tasks
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 1, 2026 

--- PASS: kuttl/harness/external-access_hive-3.1.3_openshift-false (114.54s)
--- PASS: kuttl/harness/logging_postgres-12.5.6_hive-4.1.0_openshift-false (207.63s)
--- PASS: kuttl/harness/kerberos-hdfs_postgres-12.5.6_hive-4.0.1_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_openshift-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (426.72s)
--- PASS: kuttl/harness/cluster-operation_hive-latest-4.2.0_openshift-false (129.44s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.2.0_krb5-1.21.1_openshift-false_s3-use-tls-true_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (131.43s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.1.0_krb5-1.21.1_openshift-false_s3-use-tls-true_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (142.14s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.2.0_krb5-1.21.1_openshift-false_s3-use-tls-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (253.45s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.1.0_krb5-1.21.1_openshift-false_s3-use-tls-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (146.43s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.0.1_krb5-1.21.1_openshift-false_s3-use-tls-true_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (143.40s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.0.1_krb5-1.21.1_openshift-false_s3-use-tls-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (153.46s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.0.0_krb5-1.21.1_openshift-false_s3-use-tls-true_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (201.65s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-4.0.0_krb5-1.21.1_openshift-false_s3-use-tls-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (136.81s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-3.1.3_krb5-1.21.1_openshift-false_s3-use-tls-true_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (144.27s)
--- PASS: kuttl/harness/kerberos-s3_postgres-12.5.6_hive-3.1.3_krb5-1.21.1_openshift-false_s3-use-tls-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (142.78s)
--- PASS: kuttl/harness/logging_postgres-12.5.6_hive-4.2.0_openshift-false (94.07s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.1_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-true (161.43s)
--- PASS: kuttl/harness/kerberos-hdfs_postgres-12.5.6_hive-4.0.0_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_openshift-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (263.12s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.2.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-true (129.89s)
--- PASS: kuttl/harness/kerberos-hdfs_postgres-12.5.6_hive-3.1.3_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_openshift-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (258.96s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.2.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-false (124.05s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.2.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-false (132.77s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.2.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-true (387.63s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.1.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-true (155.00s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.1.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-false (146.25s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.1.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-true (151.02s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.1.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-false (155.46s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.1_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-true (146.68s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-3.1.3_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-false (146.94s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.1_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-false (152.74s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.1_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-false (150.10s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-true (148.74s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.0_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-false (151.36s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-true (149.25s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-4.0.0_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-false (144.43s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-3.1.3_opa-latest-1.12.3_openshift-false_s3-use-tls-true_opa-use-tls-true (146.92s)
--- PASS: kuttl/harness/resources_hive-4.1.0_openshift-false (36.97s)
--- PASS: kuttl/harness/logging_postgres-12.5.6_hive-4.0.1_openshift-false (110.47s)
--- PASS: kuttl/harness/logging_postgres-12.5.6_hive-4.0.0_openshift-false (111.80s)
--- PASS: kuttl/harness/logging_postgres-12.5.6_hive-3.1.3_openshift-false (116.24s)
--- PASS: kuttl/harness/upgrade_postgres-12.5.6_hive-old-3.1.3_hive-new-4.2.0_openshift-false (95.02s)
--- PASS: kuttl/harness/resources_hive-4.2.0_openshift-false (36.13s)
--- PASS: kuttl/harness/external-access_hive-4.2.0_openshift-false (40.97s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-3.1.3_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-true (153.59s)
--- PASS: kuttl/harness/smoke_postgres-12.5.6_hive-3.1.3_opa-latest-1.12.3_openshift-false_s3-use-tls-false_opa-use-tls-false (164.74s)
--- PASS: kuttl/harness/external-access_hive-4.0.1_openshift-false (72.37s)
--- PASS: kuttl/harness/external-access_hive-4.1.0_openshift-false (61.82s)
--- PASS: kuttl/harness/resources_hive-3.1.3_openshift-false (36.53s)
--- PASS: kuttl/harness/external-access_hive-4.0.0_openshift-false (62.72s)
--- PASS: kuttl/harness/resources_hive-4.0.1_openshift-false (48.36s)
--- PASS: kuttl/harness/resources_hive-4.0.0_openshift-false (46.08s)
--- PASS: kuttl/harness/orphaned-resources_hive-latest-4.2.0_openshift-false (196.28s)
--- PASS: kuttl/harness/kerberos-hdfs_postgres-12.5.6_hive-4.2.0_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_openshift-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (265.60s)
--- PASS: kuttl/harness/kerberos-hdfs_postgres-12.5.6_hive-4.1.0_hdfs-latest-3.4.2_zookeeper-latest-3.9.4_krb5-1.21.1_openshift-false_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (287.32s)

@NickLarsenNZ NickLarsenNZ self-assigned this Apr 1, 2026
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 1, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 1, 2026 13:07
NickLarsenNZ
NickLarsenNZ commented Apr 2, 2026
View reviewed changes
@NickLarsenNZ
Apply suggestions from code review
1b7d332 
Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
xeniape
xeniape reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xeniape xeniape left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question, otherwise LGTM

@xeniape xeniape moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 7, 2026
@NickLarsenNZ NickLarsenNZ enabled auto-merge April 8, 2026 12:20
@NickLarsenNZ NickLarsenNZ requested a review from xeniape April 8, 2026 12:20
xeniape
xeniape approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xeniape xeniape left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 8, 2026
@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 8, 2026
Merged via the queue into main with commit c224460 Apr 8, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 8, 2026 12:34
@lfrancke lfrancke moved this from Development: Done to Acceptance: In Progress in Stackable Engineering Apr 9, 2026
@lfrancke lfrancke moved this from Acceptance: In Progress to Done in Stackable Engineering Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xeniape xeniape xeniape approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

release/26.7.0

Projects

Stackable Engineering
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NickLarsenNZ @xeniape @lfrancke