Hello Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/24419
to look at the new patch set (#3).
Change subject: IMPALA-15049: Harden Impala Kubernetes operator RBAC permissions
......................................................................
IMPALA-15049: Harden Impala Kubernetes operator RBAC permissions
Replace the operator's cluster-admin binding with least-privilege
ClusterRoles scoped to the CRD control plane and the namespaced resources
required by Helm reconcile.
Grant read-only CRD discovery permissions required by Kopf watches so
reconcile remains event-driven under tightened RBAC.
Document the tightened RBAC model and optional-component permission notes
for LDAP-related resource kinds in the Kubernetes deployment guide.
Add a Helm --set list-index caveat so sparse extraArgs indices are avoided
and do not render blank arguments in container command lines.
Add a unit test that guards against reintroducing cluster-admin and verifies
critical namespace/status permissions in the RBAC manifest.
Testing:
- python3 operator/impala-operator/tests/test_main.py
- python3 operator/impala-operator/tests/test_rbac_manifest.py
- python3 -m unittest discover -s operator/impala-operator/tests -p "test_*.py"
- docker build -f operator/impala-operator/Dockerfile -t impala-operator:15049 .
- k3d image import impala-operator:15049 -c impala-live
- kubectl apply -k operator/impala-operator/manifests
- kubectl -n impala-operator-system set image deploy/impala-operator
operator=impala-operator:15049
- kubectl apply -n impala-rbac-live -f <ImpalaCluster core config>
- kubectl patch -n impala-rbac-live impalacluster impala-rbac-demo --type merge
-p '{"spec":{"ldapEnabled":true}}'
- kubectl patch -n impala-rbac-live impalacluster impala-rbac-demo --type merge
-p '{"spec":{"kuduEnabled":true,"rangerEnabled":true,"rangerAuthEnabled":true}}'
- kubectl delete -n impala-rbac-live impalacluster impala-rbac-demo --wait=true
(operator uninstalls both Helm releases)
- kubectl apply -n impala-exhaustive-live -f <ImpalaCluster with
ldap+kudu+ranger>
- python3 <LDAP impyla smoke script> (CREATE DATABASE, CREATE KUDU TABLE,
INSERT, SELECT)
Change-Id: Ia3eafc1f4ddcda423227ad5fc361e0bbbd4dad19
Assisted-by: GPT-5.3 (Cursor)
Co-authored-by: Cursor <[email protected]>
---
M helm/impala/README.md
M operator/impala-operator/main.py
M operator/impala-operator/manifests/rbac.yaml
A operator/impala-operator/tests/test_rbac_manifest.py
4 files changed, 124 insertions(+), 11 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/19/24419/3
--
To view, visit http://gerrit.cloudera.org:8080/24419
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia3eafc1f4ddcda423227ad5fc361e0bbbd4dad19
Gerrit-Change-Number: 24419
Gerrit-PatchSet: 3
Gerrit-Owner: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
