K8s: RBAC feature#3385
Conversation
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
There was a problem hiding this comment.
I reviewed this PR last night while it was a draft with no reviewers assigned. I guess I was bored. Anyway, language LGTM. Therre are, however, a few bad links. Here's the output from hugo serve on your branch:
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-users": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:63:18": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-roles": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:64:18": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-acls": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:65:17": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-bindings": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:66:26": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/migrate-rolespermissions": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:67:40": page not found
I'll go ahead and approve so you're not held up.
Postscript: You'll probably want to add the other two reviewers back now that I've approved. Sorry!
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 69897e2. Configure here.
|
|
||
| - **One binding per role, many subjects** — every user with the role lives in one resource. A single apply changes access for every user at once, which can be either a feature or a hazard depending on the change. | ||
| - **One binding per user, multiple roles per binding** — each user has one binding listing the roles they hold. Deleting a user is a single binding delete. Adding a new role to an existing user means editing their binding. | ||
| - **One binding per user-role pair** — most verbose, but each grant is a discrete resource. Useful for attributing changes in GitOps and for scoping Kubernetes RBAC permissions on individual bindings. |
There was a problem hiding this comment.
Wrong multi-role binding pattern
Medium Severity
The “one binding per user, multiple roles per binding” pattern is incorrect because RedisEnterpriseRoleBinding and RedisEnterpriseClusterRoleBinding expose a single roleRef, not a list of roles. Granting several roles to one user requires multiple binding resources, not one edited binding.
Reviewed by Cursor Bugbot for commit 69897e2. Configure here.
|
|
||
| ```sh | ||
| kubectl delete redisenterpriserolebinding --selector app=orders | ||
| kubectl delete redisenterpriserole orders-viewer |
There was a problem hiding this comment.
Wrong binding delete command
Medium Severity
The delete example uses kubectl delete redisenterpriserolebinding --selector app=orders, which removes bindings by label selector, not by the orders-viewer role name. Bindings are not labeled that way in the docs, so the command often deletes nothing and leaves role deletion blocked.
Reviewed by Cursor Bugbot for commit 69897e2. Configure here.
|
|
3 participants
Note
Low Risk
Documentation-only changes (new pages, link/path updates, aliases); no application code or runtime behavior.
Overview
Adds Kubernetes-native RBAC documentation for Redis Software on Kubernetes: users, ACLs, database- and cluster-scoped roles, role bindings (including
LDAPGroupsubjects), and a guide to migrate off deprecatedRedisEnterpriseDatabase.spec.rolesPermissionsviaREC.spec.accessControl.policy.allowREDBRolesPermissions.Reorganizes the security doc tree into Access control, Authentication (
manage-rec-credentials, LDAP, SSO, configuration secrets), and Certificates and encryption, with aliases on moved pages so old URLs keep working. Cross-links are updated across Kubernetes topics, the operate security comparison table, and Vault/cert-manager pages.Reviewed by Cursor Bugbot for commit 69897e2. Bugbot is set up for automated code reviews on this repo. Configure here.