From 84e868f22bec779d276a4ac2c0d329a6708c75ae Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Wed, 25 Mar 2026 14:26:04 +0100
Subject: [PATCH 1/2] chore: Describe RBAC rules, remove unnecessary rules

---
 .../helm/hbase-operator/templates/roles.yaml  | 61 +++++++++++++------
 1 file changed, 44 insertions(+), 17 deletions(-)

diff --git a/deploy/helm/hbase-operator/templates/roles.yaml b/deploy/helm/hbase-operator/templates/roles.yaml
index bab998b5..4a151551 100644
--- a/deploy/helm/hbase-operator/templates/roles.yaml
+++ b/deploy/helm/hbase-operator/templates/roles.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
+  # For automatic cluster domain detection
   - apiGroups:
       - ""
     resources:
@@ -19,22 +20,43 @@ rules:
       - nodes/proxy
     verbs:
       - get
+  # Manage core workload resources created per HbaseCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete). get is needed when reconciliation is paused (the
+  # operator reads current state instead of applying). Both resource types are watched
+  # by the controller (.owns(Service), .watches(ConfigMap)) so they also need watch.
+  # - configmaps: role group configuration and discovery configmap
+  # - services: role group headless and metrics services
   - apiGroups:
       - ""
     resources:
-      - pods
       - configmaps
       - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # Manage ServiceAccounts created per HbaseCluster for workload pods.
+  # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete).
+  # get is needed when reconciliation is paused.
+  # ServiceAccounts are not watched by the controller.
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+  # Manage RoleBindings that bind the product ClusterRole to per-cluster ServiceAccounts.
+  # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete).
+  # get is needed when reconciliation is paused.
+  # RoleBindings are not watched by the controller.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -45,20 +67,24 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Manage StatefulSets created per role group.
+  # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete),
+  # watched by the controller via .owns(StatefulSet), and read on pause (get).
   - apiGroups:
       - apps
     resources:
       - statefulsets
     verbs:
-      - get
       - create
       - delete
+      - get
       - list
       - patch
-      - update
       - watch
+  # Manage PodDisruptionBudgets created per role for availability guarantees.
+  # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete).
+  # get is needed when reconciliation is paused.
+  # PodDisruptionBudgets are not watched by the controller.
   - apiGroups:
       - policy
     resources:
@@ -69,8 +95,6 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
   - apiGroups:
       - apiextensions.k8s.io
     resources:
@@ -86,6 +110,7 @@ rules:
       - list
       - watch
       {{- end }}
+  # For emitting Kubernetes events during reconciliation
   - apiGroups:
       - events.k8s.io
     resources:
@@ -93,12 +118,9 @@ rules:
     verbs:
       - create
       - patch
-  - apiGroups:
-      - listeners.stackable.tech
-    resources:
-      - listeners
-    verbs:
-      - get
+  # The primary resource watched by the controller (Controller::new).
+  # get + list + watch are required for the controller to observe HbaseClusters.
+  # Status is updated via the separate /status subresource rule below.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
@@ -106,14 +128,16 @@ rules:
     verbs:
       - get
       - list
-      - patch
       - watch
+  # For writing the HbaseCluster status subresource (apply_patch_status)
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  # For binding the product ClusterRole (hbase-clusterrole) to per-cluster ServiceAccounts
+  # via namespaced RoleBindings created per HbaseCluster
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -130,6 +154,7 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
+  # HBase pods need to read their own ConfigMap, Secret, and ServiceAccount at runtime.
   - apiGroups:
       - ""
     resources:
@@ -138,6 +163,7 @@ rules:
       - serviceaccounts
     verbs:
       - get
+  # For emitting Kubernetes events from within the HBase pods
   - apiGroups:
       - events.k8s.io
     resources:
@@ -146,6 +172,7 @@ rules:
       - create
       - patch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow HBase pods to run as non-root
   - apiGroups:
       - security.openshift.io
     resources:

From 3443e3400aae35c92341d29684e11211f2cc1d2b Mon Sep 17 00:00:00 2001
From: Nick Larsen <nick.larsen@stackable.tech>
Date: Wed, 25 Mar 2026 14:28:20 +0100
Subject: [PATCH 2/2] chore: Update changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c38e339c..6a8f8e56 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## [Unreleased]
 
+### Changed
+
+- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#745]).
+
+[#745]: https://github.com/stackabletech/hbase-operator/pull/745
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16