From 88158012ee85df99268fc928e23906ad9c82f472 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:36:15 +0100 Subject: [PATCH 01/13] chore: Describe RBAC rules, remove unnecessary rules --- .../helm/hdfs-operator/templates/roles.yaml | 83 +++++++++---------- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/roles.yaml b/deploy/helm/hdfs-operator/templates/roles.yaml index 347f4fef..f0fbce7e 100644 --- a/deploy/helm/hdfs-operator/templates/roles.yaml +++ b/deploy/helm/hdfs-operator/templates/roles.yaml @@ -6,74 +6,68 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - get - # For automatic cluster domain detection + # For automatic cluster domain detection (reads kubelet config via the nodes/proxy API). - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Manage core workload resources created per HdfsCluster. + # All resources are applied via Server-Side Apply (create + patch) and tracked for + # orphan cleanup (list + delete). Resources watched by the controller also need watch. + # - configmaps: rolegroup config maps; watched via .owns() and .watches() + # - services: rolegroup headless and metrics services; watched via .owns() - apiGroups: - "" resources: - - pods - configmaps - - secrets - services - - endpoints - - serviceaccounts verbs: - create - delete - get - list - patch - - update - watch + # serviceaccounts are applied via SSA and tracked for orphan cleanup but not watched + # by the controller. - apiGroups: - - rbac.authorization.k8s.io + - "" resources: - - rolebindings + - serviceaccounts verbs: - create - delete - get - list - patch - - update - - watch + # rolebindings are applied via SSA and tracked for orphan cleanup but not watched + # by the controller. - apiGroups: - - apps + - rbac.authorization.k8s.io resources: - - statefulsets + - rolebindings verbs: - - get - create - delete + - get - list - patch - - update - - watch + # statefulsets are applied via SSA, tracked for orphan cleanup, and watched via .owns(). - apiGroups: - - batch + - apps resources: - - jobs + - statefulsets verbs: - create - delete - get - list - patch - - update - watch + # poddisruptionbudgets are applied via SSA and tracked for orphan cleanup but not watched + # by the controller. - apiGroups: - policy resources: @@ -84,8 +78,6 @@ rules: - get - list - patch - - update - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -108,20 +100,16 @@ rules: verbs: - create - patch + # Read listener addresses to build the discovery ConfigMap for downstream clients. + # Listeners are managed by the listener-operator; this operator only reads them. - apiGroups: - listeners.stackable.tech resources: - listeners verbs: - get - - list - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - list + # Watch HdfsClusters for reconciliation (list + watch via Controller::new(), get during + # reconcile). Status is patched via a separate rule on the /status subresource. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -129,7 +117,6 @@ rules: verbs: - get - list - - patch - watch - apiGroups: - {{ include "operator.name" . }}.stackable.tech @@ -137,6 +124,9 @@ rules: - {{ include "operator.name" . }}clusters/status verbs: - patch + # Manage the hdfs-clusterrolebinding-nodes ClusterRoleBinding via Server-Side Apply. + # This binding grants the HDFS product pods (topology provider) access to node and pod + # information for rack awareness. Scoped to the specific ClusterRoleBinding by name. - apiGroups: - rbac.authorization.k8s.io resources: @@ -144,12 +134,9 @@ rules: resourceNames: - {{ include "operator.name" . }}-clusterrolebinding-nodes verbs: - - patch - - get - - update - - list - - watch - create + - patch + # Allow binding the product ClusterRole when creating per-cluster RoleBindings. - apiGroups: - rbac.authorization.k8s.io resources: @@ -166,6 +153,11 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # Read configuration and identity resources mounted or referenced by product pods. + # - configmaps: HDFS configuration files + # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes) + # - serviceaccounts: bound service account token projection + # - pods: pod self-inspection (e.g. hostname resolution, ZooKeeper coordination) - apiGroups: - "" resources: @@ -175,6 +167,7 @@ rules: - pods verbs: - get + # List pods for topology detection and peer discovery. - apiGroups: - "" resources: @@ -206,6 +199,11 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # The topology provider (rack awareness) running inside HDFS pods queries pod, node, and + # endpoint information to compute rack labels for DataNodes. + # - pods: discover pod-to-node assignment for topology calculation; watched by pod informer + # - nodes: read rack labels (e.g. topology.kubernetes.io/zone) from the node the pod runs on + # - endpoints: map service endpoints to pod IPs for topology resolution - apiGroups: - "" resources: @@ -217,6 +215,7 @@ rules: - list # needed for pod informer - watch + # Read listener addresses so HDFS pods can resolve external access endpoints. - apiGroups: - listeners.stackable.tech resources: From 1cd4dd24c3a5e90623f2824d156096c31a916534 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:37:52 +0100 Subject: [PATCH 02/13] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e0c466f..a5b2b200 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#770]). + +[#770]: https://github.com/stackabletech/hdfs-operator/pull/770 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 643a6381b6e0341e4ff46e4b7268061197b37533 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 13:47:19 +0200 Subject: [PATCH 03/13] chore: Remove unused customresourcedefinitions get for the operator clusterrole --- deploy/helm/hdfs-operator/templates/roles.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm/hdfs-operator/templates/roles.yaml b/deploy/helm/hdfs-operator/templates/roles.yaml index f0fbce7e..3642d297 100644 --- a/deploy/helm/hdfs-operator/templates/roles.yaml +++ b/deploy/helm/hdfs-operator/templates/roles.yaml @@ -83,7 +83,6 @@ rules: resources: - customresourcedefinitions verbs: - - get # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. {{- if .Values.maintenance.customResourceDefinitions.maintain }} From 483f404909bb696a9bac3f888c41ce92e4e4b8d4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 13:47:51 +0200 Subject: [PATCH 04/13] fix: Always allow customresourcedefinitions list/watch, else operator startup fails --- deploy/helm/hdfs-operator/templates/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/hdfs-operator/templates/roles.yaml b/deploy/helm/hdfs-operator/templates/roles.yaml index 3642d297..642812b6 100644 --- a/deploy/helm/hdfs-operator/templates/roles.yaml +++ b/deploy/helm/hdfs-operator/templates/roles.yaml @@ -88,10 +88,10 @@ rules: {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} - apiGroups: - events.k8s.io resources: From 43ba3b950fa9f57bf63f332d497ca8d791f353e4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 14:12:25 +0200 Subject: [PATCH 05/13] chore: Improve comments on rules, add missing comments --- .../helm/hdfs-operator/templates/roles.yaml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/roles.yaml b/deploy/helm/hdfs-operator/templates/roles.yaml index 642812b6..5daab05f 100644 --- a/deploy/helm/hdfs-operator/templates/roles.yaml +++ b/deploy/helm/hdfs-operator/templates/roles.yaml @@ -15,9 +15,7 @@ rules: - get # Manage core workload resources created per HdfsCluster. # All resources are applied via Server-Side Apply (create + patch) and tracked for - # orphan cleanup (list + delete). Resources watched by the controller also need watch. - # - configmaps: rolegroup config maps; watched via .owns() and .watches() - # - services: rolegroup headless and metrics services; watched via .owns() + # orphan cleanup (list + delete). - apiGroups: - "" resources: @@ -30,8 +28,7 @@ rules: - list - patch - watch - # serviceaccounts are applied via SSA and tracked for orphan cleanup but not watched - # by the controller. + # serviceaccounts are applied via SSA and tracked for orphan cleanup. - apiGroups: - "" resources: @@ -42,8 +39,7 @@ rules: - get - list - patch - # rolebindings are applied via SSA and tracked for orphan cleanup but not watched - # by the controller. + # rolebindings are applied via SSA and tracked for orphan cleanup. - apiGroups: - rbac.authorization.k8s.io resources: @@ -66,8 +62,7 @@ rules: - list - patch - watch - # poddisruptionbudgets are applied via SSA and tracked for orphan cleanup but not watched - # by the controller. + # poddisruptionbudgets are applied via SSA and tracked for orphan cleanup. - apiGroups: - policy resources: @@ -78,6 +73,8 @@ rules: - get - list - patch + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: @@ -92,6 +89,7 @@ rules: # Required for startup condition - list - watch + # Required to report reconciliation results and warnings back to the HdfsCluster object. - apiGroups: - events.k8s.io resources: @@ -117,6 +115,7 @@ rules: - get - list - watch + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -173,6 +172,7 @@ rules: - pods verbs: - list + # Required to report events from HDFS product pods. - apiGroups: - events.k8s.io resources: @@ -181,6 +181,7 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow HDFS pods to run as a non-root user. - apiGroups: - security.openshift.io resources: @@ -222,7 +223,7 @@ rules: verbs: - get - list - # needed to query the crd version (v1alpha1 etc.) before fetching listeners + # Required to discover the installed CRD API version before querying listeners. - apiGroups: - apiextensions.k8s.io resources: From 9f3a885787931c7f1fc17424a4e90b388804f4d4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Mon, 30 Mar 2026 14:19:07 +0200 Subject: [PATCH 06/13] chore: Split the clusterroles between operator and product --- .../{roles.yaml => clusterrole-operator.yaml} | 87 ------------------ .../templates/clusterrole-product.yaml | 92 +++++++++++++++++++ 2 files changed, 92 insertions(+), 87 deletions(-) rename deploy/helm/hdfs-operator/templates/{roles.yaml => clusterrole-operator.yaml} (62%) create mode 100644 deploy/helm/hdfs-operator/templates/clusterrole-product.yaml diff --git a/deploy/helm/hdfs-operator/templates/roles.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml similarity index 62% rename from deploy/helm/hdfs-operator/templates/roles.yaml rename to deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml index 5daab05f..0c5fff9f 100644 --- a/deploy/helm/hdfs-operator/templates/roles.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml @@ -143,90 +143,3 @@ rules: - bind resourceNames: - {{ include "operator.name" . }}-clusterrole ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - # Read configuration and identity resources mounted or referenced by product pods. - # - configmaps: HDFS configuration files - # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes) - # - serviceaccounts: bound service account token projection - # - pods: pod self-inspection (e.g. hostname resolution, ZooKeeper coordination) - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - - pods - verbs: - - get - # List pods for topology detection and peer discovery. - - apiGroups: - - "" - resources: - - pods - verbs: - - list - # Required to report events from HDFS product pods. - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch -{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # Required on OpenShift to allow HDFS pods to run as a non-root user. - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use -{{ end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole-nodes - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - # The topology provider (rack awareness) running inside HDFS pods queries pod, node, and - # endpoint information to compute rack labels for DataNodes. - # - pods: discover pod-to-node assignment for topology calculation; watched by pod informer - # - nodes: read rack labels (e.g. topology.kubernetes.io/zone) from the node the pod runs on - # - endpoints: map service endpoints to pod IPs for topology resolution - - apiGroups: - - "" - resources: - - pods - - nodes - - endpoints - verbs: - - get - - list - # needed for pod informer - - watch - # Read listener addresses so HDFS pods can resolve external access endpoints. - - apiGroups: - - listeners.stackable.tech - resources: - - listeners - verbs: - - get - - list - # Required to discover the installed CRD API version before querying listeners. - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml new file mode 100644 index 00000000..5e7fb24a --- /dev/null +++ b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml @@ -0,0 +1,92 @@ +--- +# Product ClusterRole: bound (via per-HdfsCluster RoleBinding) to the ServiceAccount that HDFS +# workload pods (namenodes, datanodes, journalnodes) run as. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + # Read configuration and identity resources mounted or referenced by product pods. + # - configmaps: HDFS configuration files + # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes) + # - serviceaccounts: bound service account token projection + # - pods: pod self-inspection (e.g. hostname resolution, ZooKeeper coordination) + - apiGroups: + - "" + resources: + - configmaps + - secrets + - serviceaccounts + - pods + verbs: + - get + # List pods for topology detection and peer discovery. + - apiGroups: + - "" + resources: + - pods + verbs: + - list + # Required to report events from HDFS product pods. + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - patch +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow HDFS pods to run as a non-root user. + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }} +--- +# Nodes ClusterRole: bound (via a single cluster-scoped ClusterRoleBinding) to the same +# ServiceAccount. Grants the additional permissions needed by the HDFS topology provider +# for rack awareness, which requires cluster-wide pod, node, and endpoint access. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole-nodes + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + # The topology provider (rack awareness) running inside HDFS pods queries pod, node, and + # endpoint information to compute rack labels for DataNodes. + # - pods: discover pod-to-node assignment for topology calculation; watched by pod informer + # - nodes: read rack labels (e.g. topology.kubernetes.io/zone) from the node the pod runs on + # - endpoints: map service endpoints to pod IPs for topology resolution + - apiGroups: + - "" + resources: + - pods + - nodes + - endpoints + verbs: + - get + - list + # needed for pod informer + - watch + # Read listener addresses so HDFS pods can resolve external access endpoints. + - apiGroups: + - listeners.stackable.tech + resources: + - listeners + verbs: + - get + - list + # Required to discover the installed CRD API version before querying listeners. + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get From cc6542648cba6fa6511e8893d7e3b492a2b9ad91 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 11:50:26 +0200 Subject: [PATCH 07/13] chore: Remove superfluous permissions from the product clusterrole --- .../helm/hdfs-operator/templates/clusterrole-product.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml index 5e7fb24a..a7d19361 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml @@ -29,14 +29,6 @@ rules: - pods verbs: - list - # Required to report events from HDFS product pods. - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # Required on OpenShift to allow HDFS pods to run as a non-root user. - apiGroups: From 9b8ec1393f18e1fd172a4dcba250613074e952db Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 11:57:20 +0200 Subject: [PATCH 08/13] chore: Simplify comments --- .../helm/hdfs-operator/templates/clusterrole-operator.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml index 0c5fff9f..d725f3b4 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml @@ -50,7 +50,7 @@ rules: - get - list - patch - # statefulsets are applied via SSA, tracked for orphan cleanup, and watched via .owns(). + # statefulsets are applied via SSA, tracked for orphan cleanup. - apiGroups: - apps resources: @@ -105,8 +105,7 @@ rules: - listeners verbs: - get - # Watch HdfsClusters for reconciliation (list + watch via Controller::new(), get during - # reconcile). Status is patched via a separate rule on the /status subresource. + # Watch HdfsClusters for reconciliation - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: From 1926125044f813113a33ff3d94dd8c13bc5b7e2e Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 11:58:22 +0200 Subject: [PATCH 09/13] chore: Remove redundant rules (pods get/list already covered by the "nodes" clusterrole --- .../hdfs-operator/templates/clusterrole-product.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml index a7d19361..1df00624 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml @@ -12,23 +12,14 @@ rules: # - configmaps: HDFS configuration files # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes) # - serviceaccounts: bound service account token projection - # - pods: pod self-inspection (e.g. hostname resolution, ZooKeeper coordination) - apiGroups: - "" resources: - configmaps - secrets - serviceaccounts - - pods verbs: - get - # List pods for topology detection and peer discovery. - - apiGroups: - - "" - resources: - - pods - verbs: - - list {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # Required on OpenShift to allow HDFS pods to run as a non-root user. - apiGroups: From 29c90567c8f08995afd4e2bacce238252dffd917 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 13:15:43 +0200 Subject: [PATCH 10/13] chore: Remove unused permissions from the product clusterrole --- .../hdfs-operator/templates/clusterrole-product.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml index 1df00624..a4b505ea 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml @@ -8,18 +8,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Read configuration and identity resources mounted or referenced by product pods. - # - configmaps: HDFS configuration files - # - secrets: TLS certificates and Kerberos keytabs (provided by secret-operator volumes) - # - serviceaccounts: bound service account token projection - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - verbs: - - get {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # Required on OpenShift to allow HDFS pods to run as a non-root user. - apiGroups: From 20c927ba902b24d5331ce2ecfb51cc4b6c0d4c58 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 13:18:12 +0200 Subject: [PATCH 11/13] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index ae8f95fe..06b24d1d 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4813,7 +4813,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "k8s_version"; authors = [ @@ -9422,7 +9422,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_certs"; authors = [ @@ -9623,7 +9623,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_operator"; authors = [ @@ -9795,7 +9795,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9830,7 +9830,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_shared"; authors = [ @@ -9911,7 +9911,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_telemetry"; authors = [ @@ -10021,7 +10021,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_versioned"; authors = [ @@ -10065,7 +10065,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10133,7 +10133,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 3714ebda..2148b36f 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From 91631c125935cbbae8d85148c44d2f12c3e07b4a Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 16:39:30 +0200 Subject: [PATCH 12/13] chore: Restore permissions that are needed by the topology provider --- .../hdfs-operator/templates/clusterrole-product.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml index a4b505ea..dad2330f 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-product.yaml @@ -8,6 +8,18 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # List and get pods for peer discovery (e.g. format-namenodes discovering namenode peers). + # These must live here in the product ClusterRole (not just in the nodes ClusterRole) because + # the nodes ClusterRoleBinding is updated asynchronously and may not yet include this service + # account when format-namenodes runs for the first time. + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # Required on OpenShift to allow HDFS pods to run as a non-root user. - apiGroups: From ae2bd7dc99251b1c8aeafc0d50dc3bd7b9744b51 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 31 Mar 2026 20:56:26 +0200 Subject: [PATCH 13/13] fix: Allow clusterroles bind for the operator on the nodes clusterrole too --- .../hdfs-operator/templates/clusterrole-operator.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml index d725f3b4..5eb0b66b 100644 --- a/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml +++ b/deploy/helm/hdfs-operator/templates/clusterrole-operator.yaml @@ -133,7 +133,13 @@ rules: verbs: - create - patch - # Allow binding the product ClusterRole when creating per-cluster RoleBindings. + # Allow binding the product ClusterRoles: + # - hdfs-clusterrole: referenced by per-cluster RoleBindings created by the operator + # - hdfs-clusterrole-nodes: referenced by the shared hdfs-clusterrolebinding-nodes + # ClusterRoleBinding managed by the operator. The bind verb is required because the + # operator itself does not hold all permissions that hdfs-clusterrole-nodes grants + # (nodes, endpoints, pods, listeners), so Kubernetes would otherwise reject the + # ClusterRoleBinding patch as a privilege escalation. - apiGroups: - rbac.authorization.k8s.io resources: @@ -142,3 +148,4 @@ rules: - bind resourceNames: - {{ include "operator.name" . }}-clusterrole + - {{ include "operator.name" . }}-clusterrole-nodes