Skip to content

fix: scope operator ClusterRole; remove cluster-admin default#1512

Open
mgrzybek wants to merge 1 commit into
mainfrom
fix/c1-scoped-operator-clusterrole
Open

fix: scope operator ClusterRole; remove cluster-admin default#1512
mgrzybek wants to merge 1 commit into
mainfrom
fix/c1-scoped-operator-clusterrole

Conversation

@mgrzybek

@mgrzybek mgrzybek commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Finding

Operator defaults to cluster-admin ClusterRole

Root cause

charts/operator/values.yaml set clusterRoleName: cluster-admin as the default, giving every zenith-operator deployment unrestricted cluster access out of the box. The comment in the file acknowledged this was needed for MITM-proxy ServiceAccount bindings, but made no distinction between the operator's own permissions and the permissions it may need to grant.

Changes

  • New charts/operator/templates/clusterrole.yaml — purpose-scoped ClusterRole covering only what the operator actually needs: CRD management, zenith CRs + status subresources, secrets, services (read-only), serviceaccounts, deployments, and clusterrolebindings.
  • charts/operator/templates/clusterrolebinding.yaml — role name now defaults to the chart fullname (the scoped ClusterRole) when clusterRoleName is empty.
  • charts/operator/values.yaml — adds createClusterRole: true; changes clusterRoleName default from cluster-admin to "". Documents the explicit opt-in path for MITM-proxy deployments that require cluster-admin and the Kubernetes privilege-escalation constraint.
  • Snapshot test updated to reflect the new ClusterRole and the updated ClusterRoleBinding roleRef.

@mgrzybek mgrzybek requested a review from a team as a code owner June 22, 2026 13:36
@mgrzybek mgrzybek changed the title fix: scope operator ClusterRole; remove cluster-admin default (C1) fix: scope operator ClusterRole; remove cluster-admin default Jun 22, 2026
@mgrzybek mgrzybek force-pushed the fix/c1-scoped-operator-clusterrole branch 2 times, most recently from 3b71f47 to bca5add Compare June 24, 2026 14:55
The operator chart defaulted clusterRoleName to cluster-admin, granting
every zenith deployment unrestricted cluster access out of the box.

A new purpose-scoped ClusterRole is now created by default (createClusterRole:
true), granting only the permissions the operator actually requires:
CRD management, zenith CRs, secrets, services, serviceaccounts, deployments,
and clusterrolebindings. clusterRoleName defaults to the chart fullname,
binding the operator ServiceAccount to this scoped role.

Operators that need MITM-proxy auth-inject with cluster-admin must explicitly
set createClusterRole: false and clusterRoleName: cluster-admin. The
privilege-escalation constraint (operator cannot bind a role it does not hold)
is documented in values.yaml.
@mgrzybek mgrzybek force-pushed the fix/c1-scoped-operator-clusterrole branch from bca5add to ad4464d Compare June 26, 2026 07:06

@irt-shpc irt-shpc left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this PR require a sibling to make sure the clusterAdmin role is bound for the kube api zenith clients, they seem to use mitm by default

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants