chore: Describe RBAC rules, remove unnecessary rules

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#770]).
+
+[#770]: https://github.com/stackabletech/hdfs-operator/pull/770
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

deploy/helm/hdfs-operator/templates/roles.yaml

@@ -6,74 +6,68 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - list
-      - watch
-      - get
-  # For automatic cluster domain detection
+  # For automatic cluster domain detection (reads kubelet config via the nodes/proxy API).
   - apiGroups:
       - ""
     resources:
       - nodes/proxy
     verbs:
       - get
+  # Manage core workload resources created per HdfsCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete). Resources watched by the controller also need watch.
+  # - configmaps: rolegroup config maps; watched via .owns() and .watches()
+  # - services: rolegroup headless and metrics services; watched via .owns()
   - apiGroups:
       - ""
     resources:
-      - pods
       - configmaps
-      - secrets
       - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # serviceaccounts are applied via SSA and tracked for orphan cleanup but not watched
+  # by the controller.
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - ""
     resources:
-      - rolebindings
+      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
-      - watch
+  # rolebindings are applied via SSA and tracked for orphan cleanup but not watched
+  # by the controller.
   - apiGroups:
-      - apps
+      - rbac.authorization.k8s.io
     resources:
-      - statefulsets
+      - rolebindings
     verbs:
-      - get
       - create
       - delete
+      - get
       - list
       - patch
-      - update
-      - watch
+  # statefulsets are applied via SSA, tracked for orphan cleanup, and watched via .owns().
   - apiGroups:
-      - batch
+      - apps
     resources:
-      - jobs
+      - statefulsets
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # poddisruptionbudgets are applied via SSA and tracked for orphan cleanup but not watched
+  # by the controller.
   - apiGroups:
       - policy
     resources:
@@ -84,8 +78,6 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
   - apiGroups:
       - apiextensions.k8s.io
     resources:
@@ -108,48 +100,43 @@ rules:
     verbs:
       - create
       - patch
+  # Read listener addresses to build the discovery ConfigMap for downstream clients.
+  # Listeners are managed by the listener-operator; this operator only reads them.
   - apiGroups:
       - listeners.stackable.tech
     resources:
       - listeners
     verbs:
       - get
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - list
+  # Watch HdfsClusters for reconciliation (list + watch via Controller::new(), get during
+  # reconcile). Status is patched via a separate rule on the /status subresource.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
     verbs:
       - get
       - list
-      - patch
       - watch
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
+  # Manage the hdfs-clusterrolebinding-nodes ClusterRoleBinding via Server-Side Apply.
+  # This binding grants the HDFS product pods (topology provider) access to node and pod
+  # information for rack awareness. Scoped to the specific ClusterRoleBinding by name.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
       - clusterrolebindings
     resourceNames:
       - {{ include "operator.name" . }}-clusterrolebinding-nodes
     verbs:
-      - patch
-      - get
-      - update
-      - list
-      - watch
       - create
+      - patch
+  # Allow binding the product ClusterRole when creating per-cluster RoleBindings.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -166,6 +153,11 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
+  # Read configuration and identity resources mounted or referenced by product pods.
+  # - configmaps: HDFS configuration files
+  # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes)
+  # - serviceaccounts: bound service account token projection
+  # - pods: pod self-inspection (e.g. hostname resolution, ZooKeeper coordination)
   - apiGroups:
       - ""
     resources:
@@ -175,6 +167,7 @@ rules:
       - pods
     verbs:
       - get
+  # List pods for topology detection and peer discovery.
   - apiGroups:
       - ""
     resources:
@@ -206,6 +199,11 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
+  # The topology provider (rack awareness) running inside HDFS pods queries pod, node, and
+  # endpoint information to compute rack labels for DataNodes.
+  # - pods: discover pod-to-node assignment for topology calculation; watched by pod informer
+  # - nodes: read rack labels (e.g. topology.kubernetes.io/zone) from the node the pod runs on
+  # - endpoints: map service endpoints to pod IPs for topology resolution
   - apiGroups:
       - ""
     resources:
@@ -217,6 +215,7 @@ rules:
       - list
       # needed for pod informer
       - watch
+  # Read listener addresses so HDFS pods can resolve external access endpoints.
   - apiGroups:
       - listeners.stackable.tech
     resources: