chore: Describe RBAC rules, remove unnecessary rules (#820)

* chore: Describe RBAC rules, remove unnecessary rules

* chore: Add missing rule comments

* chore: Update changelog

* chore: Remove the get for customresourcedefinitions for the operator clusterrole

Not needed for CRD maintenance nor startup condition

* chore: Remove nodes list/watch

Not needed for clusterDomain detection

* chore: Remove the configmaps/secrets/serviceaccounts rule for the product clusterrole

OPA doesn't interact with the Kubernetes API

* fix: Always allow customresourcedefinitions list/watch

Required for startup condition regardless of CRD maintenance

* chore: Simplify the rule comments

* chore: Remove the events.k8s.io rule from the product ClusterRole

Neither OPA nor UIF interact with the Kubernetes API

* chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole close to each other

* chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml

Also rename the opa-builder clusterrole file to be consistent

* chore: Update changelog

* chore: Restore rules after discovering that the bundle-builder clusterrole is not used

* chore: Preserve comment on part of rule

* chore: Add description to operator clusterrole

Author: NickLarsenNZ

CHANGELOG.md

@@ -8,8 +8,10 @@ All notable changes to this project will be documented in this file.
 
 - Set `maxSurge=1` and `maxUnavailable=0` on the OPA DaemonSet rolling update strategy to eliminate
   availability gaps during rolling updates ([#819]).
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#820]).
 
 [#819]: https://github.com/stackabletech/opa-operator/pull/819
+[#820]: https://github.com/stackabletech/opa-operator/pull/820
 
 ## [26.3.0] - 2026-03-16
 

deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml

@@ -0,0 +1,33 @@
+---
+# This ClusterRole is for the OPA bundle builder sidecar, which reads
+# Rego rules from ConfigMaps and compiles them into bundles for OPA.
+#
+# NOTE: This ClusterRole is currently not bound to any ServiceAccount. The
+# bundle-builder sidecar relies on the product ClusterRole for ConfigMap access
+# instead. The operator should be updated to bind this ClusterRole to the
+# product ServiceAccount via a separate RoleBinding.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-opa-bundle-builder-clusterrole
+rules:
+  # Read and watch ConfigMaps containing Rego rules used to build bundles
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Allow the bundle builder pods to use the opa-scc SCC on OpenShift
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - opa-scc
+    verbs:
+      - use
+{{ end }}

…y/helm/opa-operator/templates/roles.yaml …ator/templates/clusterrole-operator.yamldeploy/helm/opa-operator/templates/roles.yaml renamed to deploy/helm/opa-operator/templates/clusterrole-operator.yaml deploy/helm/opa-operator/templates/roles.yaml renamed to deploy/helm/opa-operator/templates/clusterrole-operator.yaml

@@ -1,155 +1,118 @@
 ---
+# Operator ClusterRole: bound (via ClusterRoleBinding) to the operator's own ServiceAccount.
+# Grants permissions needed by the controller to reconcile OpaCluster resources.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "operator.fullname" . }}-clusterrole
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - list
-      - watch
   # For automatic cluster domain detection
   - apiGroups:
       - ""
     resources:
       - nodes/proxy
     verbs:
       - get
+  # Manage core workload resources created per OpaCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete).
   - apiGroups:
       - ""
     resources:
-      - pods
       - configmaps
-      - secrets
       - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # ServiceAccount created per OpaCluster for workload pod identity.
+  # Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - ""
     resources:
-      - rolebindings
+      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
-      - watch
+  # RoleBinding created per OpaCluster to bind the product ClusterRole to the workload
+  # ServiceAccount. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
-      - apps
+      - rbac.authorization.k8s.io
     resources:
-      - daemonsets
+      - rolebindings
     verbs:
-      - get
       - create
       - delete
+      - get
       - list
       - patch
-      - update
-      - watch
+  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
   - apiGroups:
-      - batch
+      - rbac.authorization.k8s.io
     resources:
-      - jobs
+      - clusterroles
+    verbs:
+      - bind
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrole
+  # DaemonSet created per role group. Applied via SSA, tracked for orphan cleanup, and
+  # owned by the controller.
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
     verbs:
       - create
+      - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # Required for maintaining the CRDs within the operator (including the conversion webhook info).
+  # Also for the startup condition check before the controller can run.
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - get
       # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
       # generated certificate in the conversion webhook.
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-      {{- end }}
+  # Required to report reconciliation results and warnings back to the OpaCluster object.
   - apiGroups:
       - events.k8s.io
     resources:
       - events
     verbs:
       - create
       - patch
+  # Primary CRD: watched by the controller and read during reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
     verbs:
       - get
       - list
-      - patch
       - watch
+  # Status subresource: updated at the end of every reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterroles
-    verbs:
-      - bind
-    resourceNames:
-      - {{ include "operator.name" . }}-clusterrole
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - serviceaccounts
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - events.k8s.io
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}

deploy/helm/opa-operator/templates/clusterrole-product.yaml

@@ -0,0 +1,32 @@
+---
+# Product ClusterRole: bound (via per OpaCluster RoleBinding) to the ServiceAccount that OPA
+# workload pods run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+  # The bundle-builder sidecar lists and watches ConfigMaps labeled opa.stackable.tech/bundle
+  # to compile Rego rules into bundles. It shares this ServiceAccount because the bundle-builder
+  # ClusterRole (clusterrole-opa-builder.yaml) is not yet bound to the product ServiceAccount.
+  # TODO: Wire up the bundle-builder ClusterRole binding in the operator and remove this rule.
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - watch
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow the OPA pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}