RBAC overhaul#804
Draft
alex-bezek wants to merge 8 commits intomainfrom
Draft
Conversation
github-actions
Bot
added
area/controller
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #804 +/- ##
==========================================
- Coverage 53.38% 52.75% -0.64%
==========================================
Files 101 101
Lines 11325 11325
==========================================
- Hits 6046 5974 -72
- Misses 4852 4908 +56
- Partials 427 443 +16 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Captures the motivation, constraints, and design decisions for the RBAC overhaul before the implementation changes land.
…r-gen RBAC output RBAC is now defined explicitly in Helm templates rather than generated from code annotations. Removes all +kubebuilder:rbac markers from controllers and drain.go, and drops the rbac output target from controller-gen so it no longer clobbers the Helm-managed files.
alex-bezek
force-pushed
the
alex/rbac-overhaul
branch
2 times, most recently
from
6bf98aa to
7b6ac71
Compare
… Helm templates
Replaces the monolithic controller-rbac.yaml and per-component rbac.yaml
files with a consistent per-component directory structure (agent/,
api-manager/, bindings-forwarder/). Each component now owns its own
Role, RoleBinding, and optional namespace-scoped variants.
Key changes:
- agent: split rbac.yaml into role.yaml + rolebinding.yaml with
optional namespaced variants for namespace-scoped installs
- api-manager: moved from templates/rbac/role.yaml into dedicated
api-manager/ directory alongside its other templates; adds
leader-election-role.yaml and namespaced role support
- bindings-forwarder: renamed rbac.yaml -> role.yaml for consistency
- Deleted controller-rbac.yaml (replaced by api-manager/role.yaml)
- Renamed controller-{cm,deployment,pdb,serviceaccount}.yaml into
api-manager/ directory for cohesion
- Renamed service-account.yaml -> serviceaccount.yaml everywhere
- values.yaml/schema: adds crdAccessRoles and per-component RBAC flags
Moves existing editor/viewer roles into a dedicated rbac/crd-access/ subdirectory with consistent naming, and adds new roles for NgrokTrafficPolicy (previously missing). These ClusterRoles are for users of the operator — granting cluster members read or write access to ngrok CRDs — as opposed to the operator's own service account permissions.
…tion Updates all Helm unit tests and snapshots to match the reorganized template structure (per-component directories, renamed files). Adds new test suites for api-manager RBAC and crd-access roles. Also adds a chainsaw e2e test that verifies the operator's service accounts have exactly the permissions they need — no more, no less.
Regenerates manifest-bundle.yaml and updates the Helm README to reflect the new values added for per-component RBAC configuration.
alex-bezek
force-pushed
the
alex/rbac-overhaul
branch
from
7b6ac71 to
b747a87
Compare
jonstacks
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
related: #K8SOP-246
What
Overhauls RBAC across all three operator deployments (api-manager, agent-manager, bindings-forwarder) to:
kubebuilder:rbacmarkers from Go code. This follows the pattern used by cert-manager, Kyverno, ArgoCD, and other multi-deployment operators.api-manager/,agent/,bindings-forwarder/).watchNamespaceis set, namespace-scoped resources use a Role instead of a ClusterRole. Cluster-scoped resources (namespaces, ingressclasses, gatewayclasses) remain in a ClusterRole.How
Bug fixes
bindingconfiguration,operatorconfiguration)boundendpointeditor/viewer roles — wrong API group (ngrok.k8s.ngrok.com→bindings.k8s.ngrok.com)proxy-roleClusterRole (leftover kube-rbac-proxy scaffolding)secret-manager-roleinto api-manager role (add secret create/update/patch)tunnelsrules from agent ClusterRole (Tunnel CRD no longer exists)eventsrule from bindings-forwarderclusterRole.annotationsfrom operator-internal rolesRestructure
controller-*.yamltemplates intotemplates/api-manager/directoryrole.yaml,rolebinding.yaml, etc.)service-account.yaml→serviceaccount.yamlfor consistencytemplates/rbac/crd-access/with consistent namingGo / build changes
+kubebuilder:rbacmarkers from 18 Go files (comment-only changes)rbac:roleName=...andoutput:rbac:...from controller-gen command ingenerate.mkvalues.yaml
clusterRole→crdAccessRoles(only applies to CRD access editor/viewer roles)crdAccessRoles.createtoggleNamespace-scoping
isNamespacedandwatchNamespacehelpers in_helpers.tplrole.yaml(ClusterRole, default) androle-namespaced.yaml(Role, watchNamespace) with simpleif/if notguardsVerification
specs/rbac/)kubectl auth can-i --listper SA against baselineBreaking Changes
clusterRole.annotationsrenamed tocrdAccessRoles.annotationsinvalues.yaml. Users setting this value will need to update their Helm values.proxy-roleClusterRole removed (grantstokenreviewsandsubjectaccessreviews). This was dead scaffolding from kube-rbac-proxy which was never deployed. No functional impact.