fix(rbac): align Helm ClusterRole with controller-gen output#249
fix(rbac): align Helm ClusterRole with controller-gen output#249ChristianZaccaria wants to merge 1 commit intokagenti:mainfrom
Conversation
The Helm chart's ClusterRole had significant drift from the kubebuilder marker-generated config/rbac/role.yaml, granting permissions the operator code never uses (secrets, CRDs, webhook configs, RBAC management, ingresses, deprecated extensions API group) while missing agentruntimes resources entirely. Rules are now a 1:1 match with the controller-gen output, following least-privilege principle. Removed (not in kubebuilder markers): - core: endpoints, namespaces, PVCs, pods/log, secrets, serviceaccounts - admissionregistration.k8s.io: mutating/validating webhooks - apiextensions.k8s.io: customresourcedefinitions - apps: daemonsets, replicasets, create/delete on deployments/statefulsets - extensions: deprecated API group (removed since k8s 1.16) - networking.k8s.io: ingresses - rbac.authorization.k8s.io: roles and bindings Added (present in markers, missing from Helm): - agent.kagenti.dev: agentruntimes, agentruntimes/finalizers, agentruntimes/status Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: ChristianZaccaria <christian.zaccaria.cz@gmail.com>
cwiklik
left a comment
cwiklik
left a comment
There was a problem hiding this comment.
Review Summary
Clean RBAC cleanup aligning the Helm ClusterRole with the controller-gen output (config/rbac/role.yaml). Removes significant over-provisioning: secrets, CRDs, webhooks, RBAC management, ingresses, deprecated extensions API group, and unused verbs. Adds missing agentruntimes resources. Verified: resulting rules match config/rbac/role.yaml on main 1:1.
Merge coordination note: PR #247 (Keycloak client registration) adds secrets RBAC to config/rbac/role.yaml. If #247 merges first, this Helm chart will need to pick up the new secrets rule — rebase after #247 lands.
Areas reviewed: Helm/K8s RBAC
Commits: 1 commit, signed-off: yes, proper Assisted-By trailer
CI status: DCO passing
| - pods/log | ||
| - secrets | ||
| - serviceaccounts | ||
| - services |
There was a problem hiding this comment.
👍 Excellent RBAC hygiene — removing 79 lines of over-provisioned permissions (secrets, CRDs, webhooks, RBAC management, ingresses, deprecated extensions API group) while adding the missing agentruntimes resources. Verified against config/rbac/role.yaml on main: 1:1 match.
| - watch | ||
| - apiGroups: | ||
| - apps | ||
| - agent.kagenti.dev |
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks for the heads-up on this. I guess this could be addressed as a follow-up PR since it's still inconclusive which roles will remain in PR #247 .
2 participants
Summary
ClusterRolehad significant drift from thecontroller-gen-generatedconfig/rbac/role.yaml, granting permissions the operator code never usesextensionsAPI group)agentruntimesresources that exist in kubebuilder markers but were absent from the Helm chartKey changes
charts/kagenti-operator/templates/rbac/role.yaml:Removed (confirmed zero runtime usage — not in any
// +kubebuilder:rbacmarker):core:endpoints,namespaces,persistentvolumeclaims,pods/log,secrets,serviceaccountswith full CRUDadmissionregistration.k8s.io: mutating/validating webhook configs (operator is the webhook server, not the webhook config manager)apiextensions.k8s.io: CRDsapps:daemonsets,replicasets,create/deleteon deployments/statefulsets, finalizers subresourceextensions: deprecated API group (removed since k8s 1.16)networking.k8s.io:ingressesrbac.authorization.k8s.io: roles and bindingsAdded (present in kubebuilder markers, missing from Helm):
agent.kagenti.dev:agentruntimes,agentruntimes/finalizers,agentruntimes/statusRuntime impact
The Helm
ClusterRolenow matchesconfig/rbac/role.yaml1:1 on all RBAC rules — both deployment methods (helm installandmake deploy) grant identical permissions. No behavioural change: all removed permissions were unused by the operator code.