From 84e868f22bec779d276a4ac2c0d329a6708c75ae Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:26:04 +0100 Subject: [PATCH 1/7] chore: Describe RBAC rules, remove unnecessary rules --- .../helm/hbase-operator/templates/roles.yaml | 61 +++++++++++++------ 1 file changed, 44 insertions(+), 17 deletions(-) diff --git a/deploy/helm/hbase-operator/templates/roles.yaml b/deploy/helm/hbase-operator/templates/roles.yaml index bab998b5..4a151551 100644 --- a/deploy/helm/hbase-operator/templates/roles.yaml +++ b/deploy/helm/hbase-operator/templates/roles.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # For automatic cluster domain detection - apiGroups: - "" resources: @@ -19,22 +20,43 @@ rules: - nodes/proxy verbs: - get + # Manage core workload resources created per HbaseCluster. + # All resources are applied via Server-Side Apply (create + patch) and tracked for + # orphan cleanup (list + delete). get is needed when reconciliation is paused (the + # operator reads current state instead of applying). Both resource types are watched + # by the controller (.owns(Service), .watches(ConfigMap)) so they also need watch. + # - configmaps: role group configuration and discovery configmap + # - services: role group headless and metrics services - apiGroups: - "" resources: - - pods - configmaps - services - - endpoints - - serviceaccounts verbs: - create - delete - get - list - patch - - update - watch + # Manage ServiceAccounts created per HbaseCluster for workload pods. + # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). + # get is needed when reconciliation is paused. + # ServiceAccounts are not watched by the controller. + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + # Manage RoleBindings that bind the product ClusterRole to per-cluster ServiceAccounts. + # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). + # get is needed when reconciliation is paused. + # RoleBindings are not watched by the controller. - apiGroups: - rbac.authorization.k8s.io resources: @@ -45,20 +67,24 @@ rules: - get - list - patch - - update - - watch + # Manage StatefulSets created per role group. + # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete), + # watched by the controller via .owns(StatefulSet), and read on pause (get). - apiGroups: - apps resources: - statefulsets verbs: - - get - create - delete + - get - list - patch - - update - watch + # Manage PodDisruptionBudgets created per role for availability guarantees. + # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). + # get is needed when reconciliation is paused. + # PodDisruptionBudgets are not watched by the controller. - apiGroups: - policy resources: @@ -69,8 +95,6 @@ rules: - get - list - patch - - update - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -86,6 +110,7 @@ rules: - list - watch {{- end }} + # For emitting Kubernetes events during reconciliation - apiGroups: - events.k8s.io resources: @@ -93,12 +118,9 @@ rules: verbs: - create - patch - - apiGroups: - - listeners.stackable.tech - resources: - - listeners - verbs: - - get + # The primary resource watched by the controller (Controller::new). + # get + list + watch are required for the controller to observe HbaseClusters. + # Status is updated via the separate /status subresource rule below. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -106,14 +128,16 @@ rules: verbs: - get - list - - patch - watch + # For writing the HbaseCluster status subresource (apply_patch_status) - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch + # For binding the product ClusterRole (hbase-clusterrole) to per-cluster ServiceAccounts + # via namespaced RoleBindings created per HbaseCluster - apiGroups: - rbac.authorization.k8s.io resources: @@ -130,6 +154,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # HBase pods need to read their own ConfigMap, Secret, and ServiceAccount at runtime. - apiGroups: - "" resources: @@ -138,6 +163,7 @@ rules: - serviceaccounts verbs: - get + # For emitting Kubernetes events from within the HBase pods - apiGroups: - events.k8s.io resources: @@ -146,6 +172,7 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow HBase pods to run as non-root - apiGroups: - security.openshift.io resources: From 3443e3400aae35c92341d29684e11211f2cc1d2b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:28:20 +0100 Subject: [PATCH 2/7] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c38e339c..6a8f8e56 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#745]). + +[#745]: https://github.com/stackabletech/hbase-operator/pull/745 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 699e8ba25dac96345e2165841904dbcdd2c4b407 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 12:26:31 +0200 Subject: [PATCH 3/7] chore: Remove unused rules --- .../helm/hbase-operator/templates/roles.yaml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/deploy/helm/hbase-operator/templates/roles.yaml b/deploy/helm/hbase-operator/templates/roles.yaml index 4a151551..dd9afb9e 100644 --- a/deploy/helm/hbase-operator/templates/roles.yaml +++ b/deploy/helm/hbase-operator/templates/roles.yaml @@ -6,14 +6,6 @@ metadata: {{- include "operator.labels" . | nindent 4 }} rules: # For automatic cluster domain detection - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - # For automatic cluster domain detection - apiGroups: - "" resources: @@ -154,16 +146,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # HBase pods need to read their own ConfigMap, Secret, and ServiceAccount at runtime. - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - verbs: - - get - # For emitting Kubernetes events from within the HBase pods + # Allows HBase pods to emit Kubernetes events (e.g. for lifecycle notifications). - apiGroups: - events.k8s.io resources: From 07a2706d16fc372babddd698913a21d1a3120f76 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 12:49:16 +0200 Subject: [PATCH 4/7] chore: Simplify comments, group the rolebindings and clusterroles rules, and fix the crd management rule --- .../helm/hbase-operator/templates/roles.yaml | 63 ++++++++----------- 1 file changed, 26 insertions(+), 37 deletions(-) diff --git a/deploy/helm/hbase-operator/templates/roles.yaml b/deploy/helm/hbase-operator/templates/roles.yaml index dd9afb9e..8acc0a9f 100644 --- a/deploy/helm/hbase-operator/templates/roles.yaml +++ b/deploy/helm/hbase-operator/templates/roles.yaml @@ -14,9 +14,7 @@ rules: - get # Manage core workload resources created per HbaseCluster. # All resources are applied via Server-Side Apply (create + patch) and tracked for - # orphan cleanup (list + delete). get is needed when reconciliation is paused (the - # operator reads current state instead of applying). Both resource types are watched - # by the controller (.owns(Service), .watches(ConfigMap)) so they also need watch. + # orphan cleanup (list + delete). # - configmaps: role group configuration and discovery configmap # - services: role group headless and metrics services - apiGroups: @@ -31,10 +29,8 @@ rules: - list - patch - watch - # Manage ServiceAccounts created per HbaseCluster for workload pods. - # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). - # get is needed when reconciliation is paused. - # ServiceAccounts are not watched by the controller. + # ServiceAccount created per HbaseCluster for workload pod identity. + # Applied via SSA and tracked for orphan cleanup. - apiGroups: - "" resources: @@ -45,10 +41,8 @@ rules: - get - list - patch - # Manage RoleBindings that bind the product ClusterRole to per-cluster ServiceAccounts. - # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). - # get is needed when reconciliation is paused. - # RoleBindings are not watched by the controller. + # RoleBinding created per HbaseCluster to bind the product ClusterRole to the workload + # ServiceAccount. Applied via SSA and tracked for orphan cleanup. - apiGroups: - rbac.authorization.k8s.io resources: @@ -59,9 +53,16 @@ rules: - get - list - patch - # Manage StatefulSets created per role group. - # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete), - # watched by the controller via .owns(StatefulSet), and read on pause (get). + # Required to bind the product ClusterRole to the per-cluster ServiceAccount. + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + resourceNames: + - {{ include "operator.name" . }}-clusterrole + # StatefulSet created per role group. Applied via SSA and tracked for orphan cleanup. - apiGroups: - apps resources: @@ -73,10 +74,7 @@ rules: - list - patch - watch - # Manage PodDisruptionBudgets created per role for availability guarantees. - # Applied via SSA (create + patch), tracked for orphan cleanup (list + delete). - # get is needed when reconciliation is paused. - # PodDisruptionBudgets are not watched by the controller. + # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup. - apiGroups: - policy resources: @@ -87,22 +85,23 @@ rules: - get - list - patch + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - get + {{- if .Values.maintenance.customResourceDefinitions.maintain }} # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. - {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} - # For emitting Kubernetes events during reconciliation + # Required to report reconciliation results and warnings back to the HbaseCluster object. - apiGroups: - events.k8s.io resources: @@ -110,9 +109,7 @@ rules: verbs: - create - patch - # The primary resource watched by the controller (Controller::new). - # get + list + watch are required for the controller to observe HbaseClusters. - # Status is updated via the separate /status subresource rule below. + # Primary CRD: watched by Controller::new() and read during reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -121,24 +118,16 @@ rules: - get - list - watch - # For writing the HbaseCluster status subresource (apply_patch_status) + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch - # For binding the product ClusterRole (hbase-clusterrole) to per-cluster ServiceAccounts - # via namespaced RoleBindings created per HbaseCluster - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind - resourceNames: - - {{ include "operator.name" . }}-clusterrole --- +# Product ClusterRole: bound (via per HbaseCluster RoleBinding) to the ServiceAccount that HBase +# workload pods (masters, regionServers, restServers) run as. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -155,7 +144,7 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # Required on OpenShift to allow HBase pods to run as non-root + # Required on OpenShift to allow the HBase pods to run as a non-root user. - apiGroups: - security.openshift.io resources: From 008f198ea1fc7e61dc58dd03944207d08d8f2eac Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 12:56:14 +0200 Subject: [PATCH 5/7] chore: Split operator and product RBAC rules --- .../{roles.yaml => clusterrole-operator.yaml} | 30 +------------------ .../templates/clusterrole-product.yaml | 29 ++++++++++++++++++ 2 files changed, 30 insertions(+), 29 deletions(-) rename deploy/helm/hbase-operator/templates/{roles.yaml => clusterrole-operator.yaml} (80%) create mode 100644 deploy/helm/hbase-operator/templates/clusterrole-product.yaml diff --git a/deploy/helm/hbase-operator/templates/roles.yaml b/deploy/helm/hbase-operator/templates/clusterrole-operator.yaml similarity index 80% rename from deploy/helm/hbase-operator/templates/roles.yaml rename to deploy/helm/hbase-operator/templates/clusterrole-operator.yaml index 8acc0a9f..6b0fc340 100644 --- a/deploy/helm/hbase-operator/templates/roles.yaml +++ b/deploy/helm/hbase-operator/templates/clusterrole-operator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -125,32 +126,3 @@ rules: - {{ include "operator.name" . }}clusters/status verbs: - patch ---- -# Product ClusterRole: bound (via per HbaseCluster RoleBinding) to the ServiceAccount that HBase -# workload pods (masters, regionServers, restServers) run as. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - # Allows HBase pods to emit Kubernetes events (e.g. for lifecycle notifications). - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch -{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # Required on OpenShift to allow the HBase pods to run as a non-root user. - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use -{{ end }} diff --git a/deploy/helm/hbase-operator/templates/clusterrole-product.yaml b/deploy/helm/hbase-operator/templates/clusterrole-product.yaml new file mode 100644 index 00000000..3ea8ed99 --- /dev/null +++ b/deploy/helm/hbase-operator/templates/clusterrole-product.yaml @@ -0,0 +1,29 @@ +--- +# Product ClusterRole: bound (via per HbaseCluster RoleBinding) to the ServiceAccount that HBase +# workload pods (masters, regionServers, restServers) run as. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + # Allows HBase pods to emit Kubernetes events (e.g. for lifecycle notifications). + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - patch +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow the HBase pods to run as a non-root user. + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }} From 0bd6cc422dad1b5b1908f9f2192ff22f36ccfd08 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 12:59:21 +0200 Subject: [PATCH 6/7] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index 43b52a3f..c0f4d738 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4813,7 +4813,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "k8s_version"; authors = [ @@ -9433,7 +9433,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_certs"; authors = [ @@ -9637,7 +9637,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_operator"; authors = [ @@ -9809,7 +9809,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9844,7 +9844,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_shared"; authors = [ @@ -9925,7 +9925,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_telemetry"; authors = [ @@ -10035,7 +10035,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_versioned"; authors = [ @@ -10079,7 +10079,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10147,7 +10147,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 3714ebda..2148b36f 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From 1c19b5ff6b7bbd4129267f83f95d82f99be17562 Mon Sep 17 00:00:00 2001 From: Nick <10092581+NickLarsenNZ@users.noreply.github.com> Date: Tue, 31 Mar 2026 11:29:54 +0200 Subject: [PATCH 7/7] chore: Remove superfluous permissions from the product clusterrole Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- .../hbase-operator/templates/clusterrole-product.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/deploy/helm/hbase-operator/templates/clusterrole-product.yaml b/deploy/helm/hbase-operator/templates/clusterrole-product.yaml index 3ea8ed99..67884f97 100644 --- a/deploy/helm/hbase-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/hbase-operator/templates/clusterrole-product.yaml @@ -8,14 +8,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Allows HBase pods to emit Kubernetes events (e.g. for lifecycle notifications). - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # Required on OpenShift to allow the HBase pods to run as a non-root user. - apiGroups: