diff --git a/CHANGELOG.md b/CHANGELOG.md index 785ced21..9a6b25d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#916]). + +[#916]: https://github.com/stackabletech/nifi-operator/pull/916 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 diff --git a/deploy/helm/nifi-operator/templates/roles.yaml b/deploy/helm/nifi-operator/templates/clusterrole-operator.yaml similarity index 64% rename from deploy/helm/nifi-operator/templates/roles.yaml rename to deploy/helm/nifi-operator/templates/clusterrole-operator.yaml index b90559d5..38ecb56d 100644 --- a/deploy/helm/nifi-operator/templates/roles.yaml +++ b/deploy/helm/nifi-operator/templates/clusterrole-operator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5,13 +6,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch # For automatic cluster domain detection - apiGroups: - "" @@ -19,23 +13,42 @@ rules: - nodes/proxy verbs: - get + # Manage core workload resources created per NifiCluster. + # Applied via SSA and tracked for orphan cleanup. - apiGroups: - "" resources: - - pods - configmaps - services - - endpoints - - secrets - - serviceaccounts verbs: - create - delete - get - list - patch - - update - watch + # ServiceAccount created per NifiCluster for workload pod identity. + # Applied via SSA and tracked for orphan cleanup. + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + # Sensitive properties key and (when OIDC) admin password secret. + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + # RoleBinding created per NifiCluster to bind the product ClusterRole to the workload + # ServiceAccount. Applied via SSA and tracked for orphan cleanup. - apiGroups: - rbac.authorization.k8s.io resources: @@ -46,20 +59,29 @@ rules: - get - list - patch - - update - - watch + # Required to bind the product ClusterRole to per-cluster ServiceAccounts + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + resourceNames: + - {{ include "operator.name" . }}-clusterrole + # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and + # owned by the controller. - apiGroups: - apps resources: - statefulsets verbs: - - get - create - delete + - get - list - patch - - update - watch + # Optional reporting-task Job (NiFi 1.x only). Applied via SSA and tracked for orphan cleanup. - apiGroups: - batch resources: @@ -70,8 +92,7 @@ rules: - get - list - patch - - update - - watch + # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup. - apiGroups: - policy resources: @@ -82,23 +103,23 @@ rules: - get - list - patch - - update - - watch + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - get # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} + # Required to report reconciliation results and warnings back to the NifiCluster object. - apiGroups: - events.k8s.io resources: @@ -106,17 +127,19 @@ rules: verbs: - create - patch + # Listener created per role group for external access. Applied via SSA and tracked for orphan + # cleanup. - apiGroups: - listeners.stackable.tech resources: - listeners verbs: + - create + - delete - get - list - - watch - patch - - create - - delete + # Primary CRD: watched by the controller and read during reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -124,14 +147,15 @@ rules: verbs: - get - list - - patch - watch + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch + # Read authentication class configuration referenced in the NifiCluster spec. - apiGroups: - authentication.stackable.tech resources: @@ -140,70 +164,3 @@ rules: - get - list - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind - resourceNames: - - {{ include "operator.name" . }}-clusterrole - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - secrets - - serviceaccounts - # This is redundant with the rule for specifically about configmaps - # (due to clustering), but we read them for other purposes too - - configmaps - verbs: - - get - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch - # Required for Kubernetes-managed clustering, see https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-clustering - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - # undocumented but required - - patch - # Required for Kubernetes cluster state provider, see https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-configmap-cluster-state-provider - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update -{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use -{{ end }} diff --git a/deploy/helm/nifi-operator/templates/clusterrole-product.yaml b/deploy/helm/nifi-operator/templates/clusterrole-product.yaml new file mode 100644 index 00000000..4c05179b --- /dev/null +++ b/deploy/helm/nifi-operator/templates/clusterrole-product.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + # Required for Kubernetes-managed clustering, see https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-clustering + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + # undocumented but required + - patch + # Required for Kubernetes cluster state provider, see https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-configmap-cluster-state-provider + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required to use the nonroot-v2 SCC on OpenShift + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }}