Skip to content

chore: Describe RBAC rules, remove unnecessary rules#693

Merged
NickLarsenNZ merged 11 commits intomainfrom
chore/rbac-review
Apr 10, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#693
NickLarsenNZ merged 11 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files Core operators don't have product roles

Operator ClusterRole permission removals

  • truststores: removed create and patch
    • They were conditionally granted via the
      {{- if .Values.maintenance.customResourceDefinitions.maintain }} gate when truststores shared a rule block with secretclasses). The operator only reconciles existing TrustStores and never creates or patches them.

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
17 tasks
@NickLarsenNZ NickLarsenNZ self-assigned this Apr 9, 2026
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 9, 2026 

--- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-False (16.22s)
--- PASS: kuttl/harness/cert-manager-tls_openshift-false (55.21s)
--- PASS: kuttl/harness/kerberos_krb5-1.21.1_openshift-false (71.63s)
--- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-True (17.24s)
--- PASS: kuttl/harness/listener_openshift-false (26.98s)
--- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-False (30.41s)
--- PASS: kuttl/harness/non-sensitive-data (45.84s)
--- PASS: kuttl/harness/tls-truststore_openshift-false_truststore-target-kind-Secret (9.00s)
--- PASS: kuttl/harness/tls-truststore_openshift-false_truststore-target-kind-ConfigMap (7.79s)
--- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-True (14.05s)

@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 9, 2026
@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 9, 2026 12:03
@razvan razvan self-requested a review April 10, 2026 07:09
@razvan razvan moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 10, 2026
@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 10, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 10, 2026
Merged via the queue into main with commit 10b681d Apr 10, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 10, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Techassi Techassi Techassi approved these changes

@razvan razvan Awaiting requested review from razvan

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NickLarsenNZ @Techassi @razvan