villebro opened a new pull request, #53:
URL: https://github.com/apache/superset-kubernetes-operator/pull/53
## Summary
Restricts the default user-facing RBAC helper roles (`superset-editor-role`,
`superset-admin-role`, `superset-viewer-role`) to grant write access only to
the parent `Superset` CRD. Child CRDs (`SupersetWebServer`,
`SupersetCeleryWorker`, `SupersetLifecycleTask`, etc.) are controller-managed
implementation details; they are now exposed as read-only in these helper roles
so administrators can inspect them without being offered a foot-gun that
bypasses parent CEL validation and lifecycle orchestration. The dedicated
`supersetlifecycletask_{editor,admin,viewer}_role.yaml` helpers are removed —
they are redundant with the extended parent roles.
Also expands `docs/reference/security.md` to prominently document child-CRD
governance, ServiceAccount selection as part of CR write access, install scope
(cluster-scoped today, namespace-scoped under consideration), NetworkPolicy
ingress-only baseline, metrics TLS defaults, and trusted clone input — all
follow-ups from a recent security review.
## Details
**RBAC (`config/rbac/`)**
- `superset_editor_role.yaml`: write verbs restricted to `supersets`;
read-only (`get/list/watch`) rule added for all seven child CRDs.
- `superset_admin_role.yaml`: wildcard `*` restricted to `supersets`;
read-only rule for children.
- `superset_viewer_role.yaml`: extended to cover all eight CRDs + `/status`.
- Deleted `supersetlifecycletask_editor_role.yaml`,
`supersetlifecycletask_admin_role.yaml`,
`supersetlifecycletask_viewer_role.yaml`.
- `kustomization.yaml`: removed the three deleted references; updated the
section comment to explain the split.
- No Helm changes (the chart never shipped these user-facing roles — only
operator-internal RBAC).
**Documentation (`docs/reference/security.md`)**
- New subsections under *Trust Boundaries*: "Child CRDs Are
Controller-Managed Internals" and "ServiceAccount Selection Is Part of CR Write
Access".
- New bullets in *Design Decisions*: NetworkPolicy provides baseline ingress
segmentation only (egress unrestricted by design); metrics endpoint ships with
`insecureSkipVerify: true` gated by bearer-token authz.
- New *Install Scope* subsection under *RBAC Justification*.
- New *Out of Scope* bullet documenting that `lifecycle.clone` task commands
are trusted input.
**Cross-references (`docs/user-guide/networking-and-monitoring.md`)**
- NetworkPolicy section links to the new security reference for the
egress-baseline rationale.
- Metrics TLS paragraph links to the new security reference for the
bearer-token trust model.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
