Merge pull request #57 from Vedant-Deshpande/RHAIENG-3476-Audit-RBAC-Controller

alimaredia · web-flow · commit 63c40fb6e748 · 2026-03-11T18:52:42.000-04:00
Audit RBAC for Spark Operator controller
diff --git a/config/rbac/clusterrole.yaml b/config/rbac/clusterrole.yaml
@@ -8,38 +8,44 @@ metadata:
     app.kubernetes.io/instance: spark-operator
     app.kubernetes.io/component: controller
 rules:
-# Core resources
+# Core resources - verbs are tailored per resource to follow least privilege
 - apiGroups: [""]
-  resources:
-  - pods
-  - configmaps
-  - services
-  - persistentvolumeclaims
-  verbs: [create, delete, deletecollection, get, list, patch, update, watch]
+  resources: [pods]
+  verbs: [create, delete, get, list, update, watch]
 - apiGroups: [""]
-  resources: [events]
-  verbs: [create, patch, update]
+  resources: [configmaps]
+  verbs: [create, get, list, patch, update, watch]
 - apiGroups: [""]
-  resources: [nodes]
-  verbs: [get]
+  resources: [services]
+  verbs: [create, delete, get, list, patch, update, watch]
 - apiGroups: [""]
-  resources: [resourcequotas]
-  verbs: [get, list, watch]
+  resources: [persistentvolumeclaims]
+  verbs: [list, watch]
+- apiGroups: [""]
+  resources: [events]
+  verbs: [create, patch, update]
 # CRDs
+# Used for the optional Volcano scheduler
 - apiGroups: [apiextensions.k8s.io]
   resources: [customresourcedefinitions]
   verbs: [get]
 # Ingresses
 - apiGroups: [extensions, networking.k8s.io]
   resources: [ingresses]
-  verbs: [create, delete, get, list, update, watch]
+  verbs: [create, delete, get, update]
 # SparkApplication CRDs
 - apiGroups: [sparkoperator.k8s.io]
-  resources: [sparkapplications, scheduledsparkapplications, sparkconnects]
-  verbs: [create, delete, get, list, patch, update, watch]
+  resources: [sparkapplications]
+  verbs: [create, delete, get, list, watch]
+- apiGroups: [sparkoperator.k8s.io]
+  resources: [scheduledsparkapplications]
+  verbs: [get, list, watch]
+- apiGroups: [sparkoperator.k8s.io]
+  resources: [sparkconnects]
+  verbs: [get, list, watch]
 - apiGroups: [sparkoperator.k8s.io]
-  resources: [sparkapplications/finalizers, scheduledsparkapplications/finalizers, sparkconnects/finalizers]
+  resources: [sparkapplications/finalizers]
   verbs: [update]
 - apiGroups: [sparkoperator.k8s.io]
   resources: [sparkapplications/status, scheduledsparkapplications/status, sparkconnects/status]
-  verbs: [get, patch, update]
+  verbs: [update]
diff --git a/config/rbac/leader-election-role.yaml b/config/rbac/leader-election-role.yaml
@@ -11,10 +11,4 @@ metadata:
 rules:
 - apiGroups: [coordination.k8s.io]
   resources: [leases]
-  verbs: [create, delete, get, list, patch, update, watch]
-- apiGroups: [""]
-  resources: [events]
-  verbs: [create, patch, update]
-- apiGroups: [""]
-  resources: [configmaps]
-  verbs: [create, delete, get, list, patch, update, watch]
+  verbs: [create, get, update]
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
