chore: Describe RBAC rules, remove unnecessary rules (#869)

* chore: Describe RBAC rules, remove unnecessary rules

* chore: Update changelog

* Apply suggestions from code review

Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>

* chore: Add missing rule descriptions

* chore: Remove the get for customresourcedefinitions for the operator clusterrole

Not needed for CRD maintenance

* chore: Remove the configmaps/secrets/serviceaccounts get rule for the product clusterrole

Product pods will have necessary  secrets/configmaps mounted and not directly talk to Kubernetes

* chore: Always allow list/watch for customresourcedefinitions

Required for startup condition

* chore: Simplify the rule descriptions

* chore: Remove the events.k8s.io rule from the product ClusterRole

The operator takes care of events

* chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole close to each other

* chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml

* chore: Restore secrets/delete permission

Now needed since #876

Co-authored-by: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>

---------

Co-authored-by: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>

Author: NickLarsenNZ

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#869]).
 - Bump stackable-operator to 0.109.0 ([#877]).
 - Warn when an unsupported OIDC client authentication method is configured ([#877]).
 
@@ -16,6 +17,7 @@ All notable changes to this project will be documented in this file.
   could cause Trino Pods to have different shared secrets, causing workers failing to join the coordinator.
   This fix places the secrets in mutable Kubernetes Secrets going forward and migrates existing immutable Secrets to mutable by re-creating them ([#876]).
 
+[#869]: https://github.com/stackabletech/trino-operator/pull/869
 [#876]: https://github.com/stackabletech/trino-operator/pull/876
 [#877]: https://github.com/stackabletech/trino-operator/pull/877
 

…helm/trino-operator/templates/roles.yaml …ator/templates/clusterrole-operator.yamldeploy/helm/trino-operator/templates/roles.yaml renamed to deploy/helm/trino-operator/templates/clusterrole-operator.yaml deploy/helm/trino-operator/templates/roles.yaml renamed to deploy/helm/trino-operator/templates/clusterrole-operator.yaml

@@ -6,49 +6,54 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  # For OPA dependents. Note that OPA it's self is listed here because it's own resource name
-  # doesn't follow the *clusters convention
+  # For automatic cluster domain detection
   - apiGroups:
-      - opa.stackable.tech
+      - ""
     resources:
-      - regorules
+      - nodes/proxy
     verbs:
-      - create
       - get
-      - list
-      - watch
-      - patch
+  # Manage core workload resources created per TrinoCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete).
   - apiGroups:
       - ""
     resources:
-      - nodes
+      - configmaps
+      - services
     verbs:
+      - create
+      - delete
+      - get
       - list
+      - patch
       - watch
-  # For automatic cluster domain detection
+  # ServiceAccount created per TrinoCluster for workload pod identity.
+  # Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - ""
     resources:
-      - nodes/proxy
+      - serviceaccounts
     verbs:
+      - create
+      - delete
       - get
+      - list
+      - patch
+  # Shared internal authentication secrets (communication key and spooling secret).
+  # Delete is needed to migrate immutable secrets to mutable ones.
+  # Orphan cleanup not needed (instead, Kubernetes GC via owner reference).
   - apiGroups:
       - ""
     resources:
-      - pods
-      - configmaps
       - secrets
-      - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
-      - list
       - patch
-      - update
-      - watch
+  # RoleBinding created per TrinoCluster to bind the product ClusterRole to the workload
+  # ServiceAccount. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -59,32 +64,29 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
   - apiGroups:
-      - apps
+      - rbac.authorization.k8s.io
     resources:
-      - statefulsets
+      - clusterroles
     verbs:
-      - get
-      - create
-      - delete
-      - list
-      - patch
-      - update
-      - watch
+      - bind
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrole
+  # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and
+  # owned by the controller.
   - apiGroups:
-      - batch
+      - apps
     resources:
-      - jobs
+      - statefulsets
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - policy
     resources:
@@ -95,56 +97,59 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required for maintaining the CRDs within the operator (including the conversion webhook info).
+  # Also for the startup condition check before the controller can run.
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - get
       # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
       # generated certificate in the conversion webhook.
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-      {{- end }}
+  # Listener created per role group for external access. Applied via SSA and tracked for orphan
+  # cleanup.
   - apiGroups:
       - listeners.stackable.tech
     resources:
       - listeners
     verbs:
+      - create
+      - delete
       - get
       - list
-      - watch
       - patch
-      - create
-      - delete
+  # Required to report reconciliation results and warnings back to the TrinoCluster object.
   - apiGroups:
       - events.k8s.io
     resources:
       - events
     verbs:
       - create
       - patch
+  # Primary CRD: watched by the controller and read during reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
     verbs:
       - get
       - list
-      - patch
       - watch
+  # Status subresource: updated at the end of every reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  # Read S3 connection configuration referenced in catalog definitions.
   - apiGroups:
       - s3.stackable.tech
     resources:
@@ -153,6 +158,7 @@ rules:
       - get
       - list
       - watch
+  # Read TrinoCatalog resources referenced in the TrinoCluster spec.
   - apiGroups:
       - trino.stackable.tech
     resources:
@@ -161,6 +167,7 @@ rules:
       - get
       - list
       - watch
+  # Read authentication class configuration referenced in the TrinoCluster spec.
   - apiGroups:
       - authentication.stackable.tech
     resources:
@@ -169,44 +176,3 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterroles
-    verbs:
-      - bind
-    resourceNames:
-      - {{ include "operator.name" . }}-clusterrole
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - serviceaccounts
-    verbs:
-      - get
-  - apiGroups:
-      - events.k8s.io
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}

deploy/helm/trino-operator/templates/clusterrole-product.yaml

@@ -0,0 +1,21 @@
+---
+# Product ClusterRole: bound (via per TrinoCluster RoleBinding) to the ServiceAccount that Trino
+# workload pods (coordinators, workers) run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow the Trino pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}