Skip to content

fix(rbac): Add aggregation labels to the clusterrole#416

Open
ulrichgiraud wants to merge 1 commit into
streamnative:mainfrom
AODocs:fix/rbac-aggregation
Open

fix(rbac): Add aggregation labels to the clusterrole#416
ulrichgiraud wants to merge 1 commit into
streamnative:mainfrom
AODocs:fix/rbac-aggregation

Conversation

@ulrichgiraud

@ulrichgiraud ulrichgiraud commented Jul 1, 2026

Copy link
Copy Markdown

Fixes #415

Motivation

The ClusterRole shipped by this chart does not carry any RBAC aggregation labels, so users or service accounts bound to the standard Kubernetes admin / edit ClusterRoles cannot manage the operator's CRDs (PulsarTenant, PulsarNamespace, PulsarTopic, ...) out of the box. Every consumer has to either add extra ClusterRoleBindings or patch the chart via post-rendering to inject the labels.

Modifications

Added the standard RBAC aggregation labels to the manager ClusterRole template:

metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"

This is the minimal change discussed in the linked issue. The optional companion read-only ClusterRole (aggregate-to-view) and the values.yaml toggles are intentionally left out of this PR, happy to follow up with a second PR based on maintainer feedback.

Verifying this change

  • Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

helm unittest

  • added minimal default tests on role and role_binding
  • added a test on labels presence

Documentation

  • no-need-doc

This change only affects the rendered RBAC manifests. It does not introduce new APIs, configuration values, or user-facing behaviour that would require documentation updates.

Signed-off-by: Ulrich GIRAUD <ulrich.giraud@altirnao.com>
@ulrichgiraud ulrichgiraud requested review from a team as code owners July 1, 2026 08:40
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@ulrichgiraud:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions Bot added the doc-info-missing This pr needs to mark a document option in description label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ClusterRole should support aggregation to default admin/edit/view roles

1 participant