fix: scope operator ClusterRole; remove cluster-admin default#1512
Open
mgrzybek wants to merge 1 commit into
Open
fix: scope operator ClusterRole; remove cluster-admin default#1512mgrzybek wants to merge 1 commit into
mgrzybek wants to merge 1 commit into
Conversation
3b71f47 to
bca5add
Compare
The operator chart defaulted clusterRoleName to cluster-admin, granting every zenith deployment unrestricted cluster access out of the box. A new purpose-scoped ClusterRole is now created by default (createClusterRole: true), granting only the permissions the operator actually requires: CRD management, zenith CRs, secrets, services, serviceaccounts, deployments, and clusterrolebindings. clusterRoleName defaults to the chart fullname, binding the operator ServiceAccount to this scoped role. Operators that need MITM-proxy auth-inject with cluster-admin must explicitly set createClusterRole: false and clusterRoleName: cluster-admin. The privilege-escalation constraint (operator cannot bind a role it does not hold) is documented in values.yaml.
bca5add to
ad4464d
Compare
irt-shpc
reviewed
Jun 30, 2026
irt-shpc
left a comment
Contributor
There was a problem hiding this comment.
Does this PR require a sibling to make sure the clusterAdmin role is bound for the kube api zenith clients, they seem to use mitm by default
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finding
Operator defaults to
cluster-adminClusterRoleRoot cause
charts/operator/values.yamlsetclusterRoleName: cluster-adminas the default, giving every zenith-operator deployment unrestricted cluster access out of the box. The comment in the file acknowledged this was needed for MITM-proxy ServiceAccount bindings, but made no distinction between the operator's own permissions and the permissions it may need to grant.Changes
charts/operator/templates/clusterrole.yaml— purpose-scoped ClusterRole covering only what the operator actually needs: CRD management, zenith CRs + status subresources, secrets, services (read-only), serviceaccounts, deployments, and clusterrolebindings.charts/operator/templates/clusterrolebinding.yaml— role name now defaults to the chart fullname (the scoped ClusterRole) whenclusterRoleNameis empty.charts/operator/values.yaml— addscreateClusterRole: true; changesclusterRoleNamedefault fromcluster-adminto"". Documents the explicit opt-in path for MITM-proxy deployments that require cluster-admin and the Kubernetes privilege-escalation constraint.