Summary

This PR adds delegated RBAC checks for CR fields that let a CR author influence custom executables, restore executables, or Hardened image-verification trust roots.

The main behavior change is that ordinary OpenBaoCluster / OpenBaoRestore write access is no longer enough to configure these dangerous controls:

• spec.initContainer.image
• spec.backup.image
• spec.upgrade.image
• blue/green prePromotionHook
• spec.plugins[].image
• spec.plugins[].command
• OpenBaoRestore.spec.image
• custom Hardened spec.imageVerification / spec.operatorImageVerification trust-root material

New delegated verbs:

• usecustomexecutables for custom helper, hook, plugin, upgrade, backup, and restore executables
• useimagetrustroots for custom Hardened image-verification trust roots

usehelperimages remains accepted as a compatibility alias for existing delegated helper-image RBAC, but new bindings should use usecustomexecutables.

The docs and RBAC samples were updated to describe the new delegation model and the migration impact.

Related Issues

Security audit follow-up. No public issue linked yet.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor (code improvement/cleanup)
• CI, release, or build tooling
• Other maintenance

Risk and Compatibility

This is intentional security hardening with compatibility impact.

Existing workloads are not changed by this PR, but future creates or updates are denied when a dangerous field is present and the requesting identity lacks the delegated verb. This applies even if the update changes an unrelated field, because the dangerous field remains part of the persisted spec.

Operational impact:

• GitOps or human editors managing clusters with custom helper images, hooks, plugins, or restore images need usecustomexecutables on the target OpenBaoCluster.
• Existing usehelperimages grants continue to authorize the executable controls as a compatibility alias.
• Hardened clusters using custom image-verification trust roots need useimagetrustroots.
• Hardened clusters using official image-verification defaults do not need extra RBAC for trust roots.

This should be called out in the release notes for the release line.

Verification

Ran:

make ci-core
make verify-helm
GOFLAGS=-mod=vendor go test ./hack/helmchart
GOFLAGS=-mod=vendor go test -count=1 -tags=integration ./test/integration -run 'TestKustomizeDefault_OpenBaoClusterPolicyProtectsTransitUnseal|TestKustomizeDefault_OpenBaoRestorePolicyProtectsSecretRefs|TestVAP_OpenBaoCluster_(DeniesCustomBackupImageWithoutCustomExecutablesVerb|DeniesBackupImageChangeWithoutCustomExecutablesVerb|AllowsCustomBackupImageWithHelperImageVerb|DeniesUnchangedCustomBackupImageWithoutCustomExecutablesVerb|DeniesCustomExecutableFieldsWithoutDelegatedVerb|AllowsCustomExecutableFieldsWithDelegatedVerb|AllowsHardenedOfficialImageVerificationDefaults|DeniesHardenedCustomImageTrustRootsWithoutDelegatedVerb|AllowsHardenedCustomImageTrustRootsWithDelegatedVerb)|TestVAP_OpenBaoRestore_(DeniesCustomImageWithoutHelperImageVerb|AllowsCustomImageWithHelperImageVerb|DeniesUnchangedCustomImageUpdateWithoutCustomExecutablesVerb)'
npm --prefix website run build
git diff --check
git push pre-push hook: make lint-ci

Broader e2e was not run for this slice. The change is admission/RBAC/docs focused, and the envtest coverage exercises the deny/allow paths for the new delegated verbs.

Reviewer Notes

Before merge, double-check:

• the delegated surfaces are the right initial set for this slice
• usecustomexecutables plus usehelperimages compatibility is the intended RBAC contract
• useimagetrustroots is scoped correctly to custom Hardened trust roots while preserving official defaults
• the migration wording is clear enough for release notes

Checklist

• My code follows the project style guide.
• I have performed a self-review of my own code.
• I have added or updated tests, or explained why tests are not needed.
• I have updated documentation, or explained why docs are not needed.
• I have updated generated artifacts, or confirmed none are affected.
• I have checked that this change does not log or expose secrets, tokens, credentials, keys, or raw Secret data.
• I have run the relevant local checks, or documented why they were not run.
• Any dependent changes have been merged, published, or clearly called out.