diff --git a/CHANGELOG.md b/CHANGELOG.md index c6a2301..9175fbe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#129]). + +[#129]: https://github.com/stackabletech/opensearch-operator/pull/129 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 diff --git a/deploy/helm/opensearch-operator/templates/roles.yaml b/deploy/helm/opensearch-operator/templates/clusterrole-operator.yaml similarity index 64% rename from deploy/helm/opensearch-operator/templates/roles.yaml rename to deploy/helm/opensearch-operator/templates/clusterrole-operator.yaml index e890523..819a6e3 100644 --- a/deploy/helm/opensearch-operator/templates/roles.yaml +++ b/deploy/helm/opensearch-operator/templates/clusterrole-operator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5,26 +6,19 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - # For automatic cluster domain detection + # For automatic cluster domain detection. - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Manage core workload resources created per OpenSearchCluster. + # Applied via SSA, tracked for orphan cleanup, and owned by the controller. - apiGroups: - "" resources: - configmaps - - endpoints - - pods - serviceaccounts - services verbs: @@ -33,8 +27,9 @@ rules: - get - list - patch - - update - watch + # RoleBinding created per role group to bind the product ClusterRole to the workload + # ServiceAccount. Applied via SSA, tracked for orphan cleanup, and owned by the controller. - apiGroups: - rbac.authorization.k8s.io resources: @@ -45,8 +40,18 @@ rules: - get - list - patch - - update - watch + # Required to bind the product ClusterRole to the per-rolegroup ServiceAccount. + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + resourceNames: + - {{ include "operator.name" . }}-clusterrole + # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and + # owned by the controller. - apiGroups: - apps resources: @@ -57,8 +62,9 @@ rules: - get - list - patch - - update - watch + # PodDisruptionBudget created per role group. Applied via SSA, tracked for orphan cleanup, + # and owned by the controller. - apiGroups: - policy resources: @@ -69,34 +75,37 @@ rules: - get - list - patch - - update - watch + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - get # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} + # Listener created per role group for external access. Applied via SSA, tracked for orphan + # cleanup, and owned by the controller. - apiGroups: - listeners.stackable.tech resources: - listeners verbs: + - create + - delete - get - list - - watch - patch - - create - - delete + - watch + # Required to report reconciliation results and warnings back to the OpenSearchCluster object. - apiGroups: - events.k8s.io resources: @@ -104,6 +113,7 @@ rules: verbs: - create - patch + # Primary CRD: watched by the controller and read during reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -111,50 +121,11 @@ rules: verbs: - get - list - - patch - watch + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind - resourceNames: - - {{ include "operator.name" . }}-clusterrole ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - verbs: - - get - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use diff --git a/deploy/helm/opensearch-operator/templates/clusterrole-product.yaml b/deploy/helm/opensearch-operator/templates/clusterrole-product.yaml new file mode 100644 index 0000000..8fa9248 --- /dev/null +++ b/deploy/helm/opensearch-operator/templates/clusterrole-product.yaml @@ -0,0 +1,21 @@ +--- +# Product ClusterRole: bound (via per OpenSearchCluster RoleBinding) to the ServiceAccount that +# OpenSearch workload pods run as. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow the OpenSearch pods to run as a non-root user. + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }}