From 8cb709f5566e3740673d8f0a74b6c33198e182e8 Mon Sep 17 00:00:00 2001 From: ChristianZaccaria Date: Fri, 27 Mar 2026 14:37:29 +0000 Subject: [PATCH] fix(rbac): align Helm ClusterRole with controller-gen output The Helm chart's ClusterRole had significant drift from the kubebuilder marker-generated config/rbac/role.yaml, granting permissions the operator code never uses (secrets, CRDs, webhook configs, RBAC management, ingresses, deprecated extensions API group) while missing agentruntimes resources entirely. Rules are now a 1:1 match with the controller-gen output, following least-privilege principle. Removed (not in kubebuilder markers): - core: endpoints, namespaces, PVCs, pods/log, secrets, serviceaccounts - admissionregistration.k8s.io: mutating/validating webhooks - apiextensions.k8s.io: customresourcedefinitions - apps: daemonsets, replicasets, create/delete on deployments/statefulsets - extensions: deprecated API group (removed since k8s 1.16) - networking.k8s.io: ingresses - rbac.authorization.k8s.io: roles and bindings Added (present in markers, missing from Helm): - agent.kagenti.dev: agentruntimes, agentruntimes/finalizers, agentruntimes/status Assisted-By: Claude (Anthropic AI) Signed-off-by: ChristianZaccaria --- .../kagenti-operator/templates/rbac/role.yaml | 93 +++---------------- 1 file changed, 14 insertions(+), 79 deletions(-) diff --git a/charts/kagenti-operator/templates/rbac/role.yaml b/charts/kagenti-operator/templates/rbac/role.yaml index d04f23d..501a605 100755 --- a/charts/kagenti-operator/templates/rbac/role.yaml +++ b/charts/kagenti-operator/templates/rbac/role.yaml @@ -9,21 +9,10 @@ rules: - "" resources: - configmaps - - endpoints - - namespaces - - persistentvolumeclaims - - pods - - pods/log - - secrets - - serviceaccounts - services verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - "" @@ -32,39 +21,21 @@ rules: verbs: - create - patch - - update - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apiextensions.k8s.io + - "" resources: - - customresourcedefinitions + - pods verbs: - - create - - delete - get - list - patch - update - watch - apiGroups: - - apps + - agent.kagenti.dev resources: - - daemonsets - - deployments - - replicasets - - statefulsets + - agentcards + - agentruntimes verbs: - create - delete @@ -74,56 +45,35 @@ rules: - update - watch - apiGroups: - - apps + - agent.kagenti.dev resources: - - deployments/finalizers - - statefulsets/finalizers + - agentcards/finalizers + - agentruntimes/finalizers verbs: - update - apiGroups: - - extensions + - agent.kagenti.dev resources: - - daemonsets - - deployments - - replicasets + - agentcards/status + - agentruntimes/status verbs: - - create - - delete - get - - list - patch - update - - watch - apiGroups: - - agent.kagenti.dev + - apps resources: - - agentcards + - deployments + - statefulsets verbs: - - create - - delete - get - list - patch - update - watch -- apiGroups: - - agent.kagenti.dev - resources: - - agentcards/finalizers - verbs: - - update -- apiGroups: - - agent.kagenti.dev - resources: - - agentcards/status - verbs: - - get - - patch - - update - apiGroups: - networking.k8s.io resources: - - ingresses - networkpolicies verbs: - create @@ -140,20 +90,5 @@ rules: verbs: - get - list - - watch - - patch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - create - - delete - - get - - list - patch - - update - watch