From d7ca2ab40ddb1a91480e6df320ff4ccf387aaf33 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 16:06:47 +0100 Subject: [PATCH 1/8] chore: Describe RBAC rules, remove unnecessary rules --- .../commons-operator/templates/roles.yaml | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index 31d541f..a9ab425 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -6,33 +6,43 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # Watch pods to detect expiry annotations and evict them (pod restart controller). + # Watch configmaps and secrets (metadata only) to detect changes that should trigger a + # rolling restart of referencing StatefulSets (StatefulSet restart controller). + # list + watch are sufficient; no individual get calls are made (Controller and + # metadata_watcher use list + watch internally). - apiGroups: - "" resources: - pods - configmaps - secrets - - nodes verbs: - - get - list - watch - # For automatic cluster domain detection + # For automatic cluster domain detection: proxy to the kubelet configz endpoint on the + # operator's own node (name supplied via the downward API) to read the clusterDomain + # setting. Only a direct GET on the named node's proxy subresource is needed - no + # list or watch of nodes is required. - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Watch StatefulSets labelled restarter.stackable.tech/enabled=true (list + watch) and + # patch their pod template annotations via Server-Side Apply to trigger rolling restarts + # when referenced ConfigMaps or Secrets change (patch). No get needed: SSA does not + # require a preceding get, and the reflector/watcher covers list + watch. - apiGroups: - apps resources: - statefulsets verbs: - - get - list - watch - - patch # We need to add a label to the StatefulSet + - patch + # Emit Kubernetes events from both the StatefulSet and Pod restart controllers. - apiGroups: - events.k8s.io resources: @@ -40,6 +50,8 @@ rules: verbs: - create - patch + # Evict pods whose restarter.stackable.tech/expires-at.* annotation timestamp has been + # reached (pod restart controller). Eviction is a create on the pods/eviction subresource. - apiGroups: - "" resources: From bd73246dbcb931f775215647f401bd450e99d5ec Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 16:08:47 +0100 Subject: [PATCH 2/8] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f5aee6..8777b3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#412]). + +[#412]: https://github.com/stackabletech/commons-operator/pull/412 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 91b2ddb2994d6cc26f411c83971816d2ef4fd467 Mon Sep 17 00:00:00 2001 From: Nick <10092581+NickLarsenNZ@users.noreply.github.com> Date: Thu, 2 Apr 2026 10:05:58 +0200 Subject: [PATCH 3/8] Apply suggestions from code review Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8777b3e..7ff023f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Changed -- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#412]). +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#412]). [#412]: https://github.com/stackabletech/commons-operator/pull/412 From 9f752021ff80d7c240a12b4b5f12654d64bcaabc Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 08:27:14 +0200 Subject: [PATCH 4/8] chore: Remove the get for customresourcedefinitions for the operator clusterrole Not required for CRD maintenance --- deploy/helm/commons-operator/templates/roles.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index a9ab425..f4a8c04 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -73,7 +73,6 @@ rules: resources: - customresourcedefinitions verbs: - - get - create - patch {{ end }} From 2366d9edb54277c4cd16c8072c5c7d3dfd8eb095 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 08:50:05 +0200 Subject: [PATCH 5/8] chore: Simplify rule comments --- .../commons-operator/templates/roles.yaml | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index f4a8c04..5d521da 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -6,11 +6,8 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Watch pods to detect expiry annotations and evict them (pod restart controller). - # Watch configmaps and secrets (metadata only) to detect changes that should trigger a - # rolling restart of referencing StatefulSets (StatefulSet restart controller). - # list + watch are sufficient; no individual get calls are made (Controller and - # metadata_watcher use list + watch internally). + # Watch pods to detect and evict expired restart annotations. + # Watch configmaps and secrets to trigger rolling restarts of referencing StatefulSets. - apiGroups: - "" resources: @@ -20,20 +17,15 @@ rules: verbs: - list - watch - # For automatic cluster domain detection: proxy to the kubelet configz endpoint on the - # operator's own node (name supplied via the downward API) to read the clusterDomain - # setting. Only a direct GET on the named node's proxy subresource is needed - no - # list or watch of nodes is required. + # For automatic cluster domain detection. - apiGroups: - "" resources: - nodes/proxy verbs: - get - # Watch StatefulSets labelled restarter.stackable.tech/enabled=true (list + watch) and - # patch their pod template annotations via Server-Side Apply to trigger rolling restarts - # when referenced ConfigMaps or Secrets change (patch). No get needed: SSA does not - # require a preceding get, and the reflector/watcher covers list + watch. + # Watch and patch StatefulSets (labelled restarter.stackable.tech/enabled=true) + # to trigger rolling restarts when referenced ConfigMaps or Secrets change. - apiGroups: - apps resources: @@ -42,7 +34,7 @@ rules: - list - watch - patch - # Emit Kubernetes events from both the StatefulSet and Pod restart controllers. + # Emit Kubernetes events from the restart controllers. - apiGroups: - events.k8s.io resources: @@ -50,23 +42,23 @@ rules: verbs: - create - patch - # Evict pods whose restarter.stackable.tech/expires-at.* annotation timestamp has been - # reached (pod restart controller). Eviction is a create on the pods/eviction subresource. + # Evict pods whose restarter.stackable.tech/expires-at.* annotation timestamp + # has been reached. - apiGroups: - "" resources: - pods/eviction verbs: - create - # Required to maintain MutatingWebhookConfigurations. The operator needs to do this, as it needs - # to enter e.g. it's generated certificate in the webhooks. + # Required to maintain MutatingWebhookConfigurations with auto-generated and + # rotated webhook certificates. - apiGroups: [admissionregistration.k8s.io] resources: [mutatingwebhookconfigurations] verbs: - create - patch -# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's -# generated certificate in the conversion webhook. +# Required to maintain the CRD with auto-generated and rotated webhook +#certificates. {{ if .Values.maintenance.customResourceDefinitions.maintain }} - apiGroups: - apiextensions.k8s.io From 8a4b162dbc3a204f0e3641b6a4150e27fac0c52c Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 08:54:57 +0200 Subject: [PATCH 6/8] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index c6cadaa..46246bf 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4801,7 +4801,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "k8s_version"; authors = [ @@ -9293,7 +9293,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_certs"; authors = [ @@ -9479,7 +9479,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_operator"; authors = [ @@ -9651,7 +9651,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9686,7 +9686,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_shared"; authors = [ @@ -9767,7 +9767,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_telemetry"; authors = [ @@ -9877,7 +9877,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_versioned"; authors = [ @@ -9921,7 +9921,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -9989,7 +9989,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 6839c8b..2bebff2 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#k8s-version@0.1.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-certs@0.4.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator-derive@0.3.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator@0.107.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-shared@0.1.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-telemetry@0.6.2": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned-macros@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-webhook@0.9.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#k8s-version@0.1.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-certs@0.4.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator-derive@0.3.1": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator@0.107.1": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-shared@0.1.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-telemetry@0.6.2": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned-macros@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-webhook@0.9.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From cb64511c726d5bb36152242b15f456923c51070b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 09:06:06 +0200 Subject: [PATCH 7/8] chore: Clarify comment --- deploy/helm/commons-operator/templates/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index 5d521da..45f2bbe 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Watch pods to detect and evict expired restart annotations. + # Watch pods to detect expired restart annotations. # Watch configmaps and secrets to trigger rolling restarts of referencing StatefulSets. - apiGroups: - "" From 23e00cc3c05d469bfacfd5a454103b31c31044ce Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 9 Apr 2026 09:07:28 +0200 Subject: [PATCH 8/8] chore: Move rule comment inside gate --- deploy/helm/commons-operator/templates/roles.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index 45f2bbe..7f60c0b 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -57,9 +57,9 @@ rules: verbs: - create - patch -# Required to maintain the CRD with auto-generated and rotated webhook -#certificates. {{ if .Values.maintenance.customResourceDefinitions.maintain }} + # Required to maintain the CRD with auto-generated and rotated webhook + # certificates. - apiGroups: - apiextensions.k8s.io resources: