Skip to content

fix(manifests): add roles permission to control-plane ClusterRole #1449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mergify merged 2 commits into from
Apr 23, 2026
+1 −1
Merged

fix(manifests): add roles permission to control-plane ClusterRole #1449

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fce8fae
fix(manifests): add roles permission to control-plane ClusterRole
Apr 23, 2026
6a270da
Merge branch 'main' into fix/control-plane-clusterrole-roles-permission
mergify[bot] Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion components/manifests/base/rbac/control-plane-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ rules:
verbs: ["get", "list", "watch", "create", "update", "patch"]
# RoleBindings (reconcile group access from ProjectSettings)
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Comment on lines 18 to 20
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Narrow roles permissions instead of inheriting full rolebindings verbs.

Line 19 fixes the missing roles access, but Line 20 now gives roles the full rolebindings verb set (list/watch/update/patch/delete) even though the provided reconcile path shows get + create for roles. Split this rule so roles has only required verbs, and keep broader verbs on rolebindings.

Suggested RBAC tightening 
 - apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles", "rolebindings"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  resources: ["roles"]
+  verbs: ["get", "create", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

As per coding guidelines, components/manifests/**/*.yaml: - RBAC must follow least-privilege.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles"]
verbs: ["get", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@components/manifests/base/rbac/control-plane-clusterrole.yaml` around lines
18 - 20, The current RBAC rule groups resources "roles" and "rolebindings" under
apiGroups: ["rbac.authorization.k8s.io"] and grants the full verb set; split
this into two rules: one rule for "roles" that only includes the minimal verbs
the reconciler requires (e.g., "get" and "create") and a separate rule for
"rolebindings" that retains the broader verbs
("list","watch","update","patch","delete" as needed). Update the resources/verbs
entries so "roles" no longer inherits the full rolebindings verb set while
keeping rolebindings' permissions unchanged.

# Session runner resources (provision/deprovision per-session workloads in project namespaces)
- apiGroups: [""]
Expand Down
Loading