Why do you need it?
values.yaml already defines controller.rbac.create: true, but the four controller RBAC templates (controller-role.yaml, controller-rolebinding.yaml, controller-clusterrole.yaml, controller-clusterrolebinding.yaml) never check this value — all RBAC resources are created unconditionally. This means the existing toggle has no effect, which is a bug.
Additionally, for namespace admin deployments (users who only have namespace-level permissions), there is no way to skip the creation of ClusterRole/ClusterRoleBinding resources. Since namespace admins cannot create cluster-scoped resources, Helm install will fail in this scenario.
A similar gap exists on the gateway side: gateway.rbac.enabled controls whether RBAC resources are needed functionally (e.g., not needed when using Gateway API), but there is no separate toggle to skip ClusterRole/ClusterRoleBinding creation when cluster-level RBAC is pre-provisioned by a cluster admin.
How could it be?
-
Fix the existing bug: controller.rbac.create was already defined in values.yaml but never referenced in templates. The controller ClusterRole/ClusterRoleBinding templates should respect this toggle.
-
Simplify controller Role/RoleBinding: Since namespace admins always have permission to create namespace-scoped Role/RoleBinding, these should be created unconditionally (no toggle needed).
-
Add gateway.rbac.create: Introduce a new gateway.rbac.create toggle (default true) to independently control gateway ClusterRole/ClusterRoleBinding creation, separate from the functional gateway.rbac.enabled toggle.
The final control logic:
| Resource |
Condition |
Semantics |
| controller ClusterRole/ClusterRoleBinding |
controller.rbac.create |
Permission toggle for cluster-level resources |
| controller Role/RoleBinding |
unconditional |
Namespace admin always has permission |
| gateway ClusterRole/ClusterRoleBinding |
gateway.rbac.enabled && gateway.rbac.create |
Functional need + permission toggle |
| gateway Role/RoleBinding |
gateway.rbac.enabled |
Functional need only |
All changes are backward compatible — default values preserve existing behavior.
Other related information
Affected files:
helm/core/templates/controller-clusterrole.yamlhelm/core/templates/controller-clusterrolebinding.yamlhelm/core/templates/controller-role.yamlhelm/core/templates/controller-rolebinding.yamlhelm/core/templates/clusterrole.yamlhelm/core/values.yamlhelm/higress/README.mdhelm/higress/README.zh.md
Why do you need it?
values.yamlalready definescontroller.rbac.create: true, but the four controller RBAC templates (controller-role.yaml,controller-rolebinding.yaml,controller-clusterrole.yaml,controller-clusterrolebinding.yaml) never check this value — all RBAC resources are created unconditionally. This means the existing toggle has no effect, which is a bug.Additionally, for namespace admin deployments (users who only have namespace-level permissions), there is no way to skip the creation of ClusterRole/ClusterRoleBinding resources. Since namespace admins cannot create cluster-scoped resources, Helm install will fail in this scenario.
A similar gap exists on the gateway side:
gateway.rbac.enabledcontrols whether RBAC resources are needed functionally (e.g., not needed when using Gateway API), but there is no separate toggle to skip ClusterRole/ClusterRoleBinding creation when cluster-level RBAC is pre-provisioned by a cluster admin.How could it be?
Fix the existing bug:
controller.rbac.createwas already defined invalues.yamlbut never referenced in templates. The controller ClusterRole/ClusterRoleBinding templates should respect this toggle.Simplify controller Role/RoleBinding: Since namespace admins always have permission to create namespace-scoped Role/RoleBinding, these should be created unconditionally (no toggle needed).
Add
gateway.rbac.create: Introduce a newgateway.rbac.createtoggle (defaulttrue) to independently control gateway ClusterRole/ClusterRoleBinding creation, separate from the functionalgateway.rbac.enabledtoggle.The final control logic:
controller.rbac.creategateway.rbac.enabled && gateway.rbac.creategateway.rbac.enabledAll changes are backward compatible — default values preserve existing behavior.
Other related information
Affected files:
helm/core/templates/controller-clusterrole.yamlhelm/core/templates/controller-clusterrolebinding.yamlhelm/core/templates/controller-role.yamlhelm/core/templates/controller-rolebinding.yamlhelm/core/templates/clusterrole.yamlhelm/core/values.yamlhelm/higress/README.mdhelm/higress/README.zh.md