[Impala-ASF-CR] IMPALA-15049: Harden Impala Kubernetes operator RBAC permissions

Mon, 08 Jun 2026 14:49:45 -0700 

Hello Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/24419

to look at the new patch set (#2).

Change subject: IMPALA-15049: Harden Impala Kubernetes operator RBAC permissions
......................................................................

IMPALA-15049: Harden Impala Kubernetes operator RBAC permissions

Replace the operator's cluster-admin binding with least-privilege
ClusterRoles scoped to the CRD control plane and the namespaced resources
required by Helm reconcile.

Grant read-only CRD discovery permissions required by Kopf watches so
reconcile remains event-driven under tightened RBAC.

Document the tightened RBAC model and optional-component permission notes
for LDAP-related resource kinds in the Kubernetes deployment guide.

Add a unit test that guards against reintroducing cluster-admin and verifies
critical namespace/status permissions in the RBAC manifest.

Testing:
- python3 operator/impala-operator/tests/test_main.py
- python3 operator/impala-operator/tests/test_rbac_manifest.py
- docker build -f operator/impala-operator/Dockerfile -t impala-operator:15049 .
- k3d image import impala-operator:15049 -c impala-live
- kubectl apply -k operator/impala-operator/manifests
- kubectl -n impala-operator-system set image deploy/impala-operator 
operator=impala-operator:15049
- kubectl apply -n impala-rbac-live -f <ImpalaCluster core config>
- kubectl patch -n impala-rbac-live impalacluster impala-rbac-demo --type merge 
-p '{"spec":{"ldapEnabled":true}}'
- kubectl patch -n impala-rbac-live impalacluster impala-rbac-demo --type merge 
-p '{"spec":{"kuduEnabled":true,"rangerEnabled":true,"rangerAuthEnabled":true}}'
- kubectl delete -n impala-rbac-live impalacluster impala-rbac-demo --wait=true 
(operator uninstalls both Helm releases)

Change-Id: Ia3eafc1f4ddcda423227ad5fc361e0bbbd4dad19
Assisted-by: GPT-5.3 (Cursor)
---
M helm/impala/README.md
M operator/impala-operator/manifests/rbac.yaml
A operator/impala-operator/tests/test_rbac_manifest.py
3 files changed, 117 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/19/24419/2
--
To view, visit http://gerrit.cloudera.org:8080/24419
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia3eafc1f4ddcda423227ad5fc361e0bbbd4dad19
Gerrit-Change-Number: 24419
Gerrit-PatchSet: 2
Gerrit-Owner: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>

Reply via email to