Skip to content

chore: Describe RBAC rules, remove unnecessary rules#380

Merged
NickLarsenNZ merged 7 commits intomainfrom
chore/rbac-review
Apr 9, 2026
Merged

chore: Describe RBAC rules, remove unnecessary rules#380
NickLarsenNZ merged 7 commits intomainfrom
chore/rbac-review

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Mar 25, 2026
edited
Loading

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

  • Document each rule
  • Check the docs make sense. Rewrite where necessary
  • Remove unnecessary permissions
  • Attach explanations to PR description
  • Run all tests
  • Split operator and product roles into separate files Core operators don't have product roles

Removed rules/verbs:

  • listeners update removed - No client.update() calls exist in the codebase. All mutation uses apply_patch (SSA) or merge_patch, which only require patch.
  • listeners/finalizers entire resource removed - No finalizer management exists in the operator code. The kube-rs Controller does not add finalizers automatically. Added in commit b2559c3 but never used.
  • listeners/status create, delete, update removed - Status subresources only need patch (via client.apply_patch_status()). create, delete, and update on a subresource are not meaningful here.
  • podlisteners delete, update removed - PodListeners is not in delete_orphaned_resources and there are no client.delete::<PodListeners>() calls. update is unused for the same reason as listeners.

@NickLarsenNZ NickLarsenNZ mentioned this pull request Mar 25, 2026
Open
17 tasks
NickLarsenNZ
NickLarsenNZ commented Apr 2, 2026
View reviewed changes
NickLarsenNZ and others added 3 commits April 2, 2026 10:04
@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 9, 2026 

--- PASS: kuttl/harness/overrides (6.59s)
--- PASS: kuttl/harness/custom-lbclass_openshift-false_loadbalancer-allocatenodeports-false (7.80s)
--- PASS: kuttl/harness/custom-lbclass_openshift-false_loadbalancer-allocatenodeports-true (7.66s)
--- PASS: kuttl/harness/smoke-nodeport_openshift-false_addressType-Hostname (33.52s)
--- PASS: kuttl/harness/smoke-nodeport_openshift-false_addressType-IP (26.53s)
--- PASS: kuttl/harness/smoke-nodeport_openshift-false_addressType-HostnameConservative (27.58s)

@NickLarsenNZ NickLarsenNZ marked this pull request as ready for review April 9, 2026 08:28
@NickLarsenNZ NickLarsenNZ self-assigned this Apr 9, 2026
NickLarsenNZ
NickLarsenNZ commented Apr 9, 2026
View reviewed changes
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 9, 2026
@razvan razvan self-requested a review April 9, 2026 11:33
@razvan razvan moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Apr 9, 2026
razvan
razvan approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@razvan razvan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 9, 2026
@NickLarsenNZ NickLarsenNZ moved this from Development: In Review to Development: Done in Stackable Engineering Apr 9, 2026
Merged via the queue into main with commit 701f694 Apr 9, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review branch April 9, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@razvan razvan razvan approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @razvan