chore: Describe RBAC rules, remove unnecessary rules

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#869]).
 - Bump stackable-operator to 0.109.0 ([#877]).
 - Warn when an unsupported OIDC client authentication method is configured ([#877]).
 
@@ -16,6 +17,7 @@ All notable changes to this project will be documented in this file.
   could cause Trino Pods to have different shared secrets, causing workers failing to join the coordinator.
   This fix places the secrets in mutable Kubernetes Secrets going forward and migrates existing immutable Secrets to mutable by re-creating them ([#876]).
 
+[#869]: https://github.com/stackabletech/trino-operator/pull/869
 [#876]: https://github.com/stackabletech/trino-operator/pull/876
 [#877]: https://github.com/stackabletech/trino-operator/pull/877
 

deploy/helm/trino-operator/templates/roles.yaml → deploy/helm/trino-operator/templates/clusterrole-operator.yaml

@@ -6,49 +6,52 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  # For OPA dependents. Note that OPA it's self is listed here because it's own resource name
-  # doesn't follow the *clusters convention
+  # For automatic cluster domain detection
   - apiGroups:
-      - opa.stackable.tech
+      - ""
     resources:
-      - regorules
+      - nodes/proxy
     verbs:
-      - create
       - get
-      - list
-      - watch
-      - patch
+  # Manage core workload resources created per TrinoCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete).
   - apiGroups:
       - ""
     resources:
-      - nodes
+      - configmaps
+      - services
     verbs:
+      - create
+      - delete
+      - get
       - list
+      - patch
       - watch
-  # For automatic cluster domain detection
+  # ServiceAccount created per TrinoCluster for workload pod identity.
+  # Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - ""
     resources:
-      - nodes/proxy
+      - serviceaccounts
     verbs:
+      - create
+      - delete
       - get
+      - list
+      - patch
+  # Shared internal authentication secrets (communication key and spooling secret).
+  # Orphan cleanup not needed (instead, Kubernetes GC via owner reference).
   - apiGroups:
       - ""
     resources:
-      - pods
-      - configmaps
       - secrets
-      - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
-      - delete
       - get
-      - list
       - patch
-      - update
-      - watch
+  # RoleBinding created per TrinoCluster to bind the product ClusterRole to the workload
+  # ServiceAccount. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -59,32 +62,29 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
   - apiGroups:
-      - apps
+      - rbac.authorization.k8s.io
     resources:
-      - statefulsets
+      - clusterroles
     verbs:
-      - get
-      - create
-      - delete
-      - list
-      - patch
-      - update
-      - watch
+      - bind
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrole
+  # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and
+  # owned by the controller.
   - apiGroups:
-      - batch
+      - apps
     resources:
-      - jobs
+      - statefulsets
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - policy
     resources:
@@ -95,56 +95,59 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required for maintaining the CRDs within the operator (including the conversion webhook info).
+  # Also for the startup condition check before the controller can run.
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - get
       # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
       # generated certificate in the conversion webhook.
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-      {{- end }}
+  # Listener created per role group for external access. Applied via SSA and tracked for orphan
+  # cleanup.
   - apiGroups:
       - listeners.stackable.tech
     resources:
       - listeners
     verbs:
+      - create
+      - delete
       - get
       - list
-      - watch
       - patch
-      - create
-      - delete
+  # Required to report reconciliation results and warnings back to the TrinoCluster object.
   - apiGroups:
       - events.k8s.io
     resources:
       - events
     verbs:
       - create
       - patch
+  # Primary CRD: watched by the controller and read during reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
     verbs:
       - get
       - list
-      - patch
       - watch
+  # Status subresource: updated at the end of every reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  # Read S3 connection configuration referenced in catalog definitions.
   - apiGroups:
       - s3.stackable.tech
     resources:
@@ -153,6 +156,7 @@ rules:
       - get
       - list
       - watch
+  # Read TrinoCatalog resources referenced in the TrinoCluster spec.
   - apiGroups:
       - trino.stackable.tech
     resources:
@@ -161,6 +165,7 @@ rules:
       - get
       - list
       - watch
+  # Read authentication class configuration referenced in the TrinoCluster spec.
   - apiGroups:
       - authentication.stackable.tech
     resources:
@@ -169,44 +174,3 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterroles
-    verbs:
-      - bind
-    resourceNames:
-      - {{ include "operator.name" . }}-clusterrole
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - serviceaccounts
-    verbs:
-      - get
-  - apiGroups:
-      - events.k8s.io
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
-  - apiGroups:
-      - security.openshift.io
-    resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
-    verbs:
-      - use
-{{ end }}

deploy/helm/trino-operator/templates/clusterrole-product.yaml

@@ -0,0 +1,21 @@
+---
+# Product ClusterRole: bound (via per TrinoCluster RoleBinding) to the ServiceAccount that Trino
+# workload pods (coordinators, workers) run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow the Trino pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}