Update RBAC permissions

[Tzvonimir]

Summary by CodeRabbit

Release Notes

• New Features

  • Added dedicated metrics authentication role for token review and authorization checks.
  • Expanded resource access permissions across core, apps, batch, networking, and additional API groups.
  • Enhanced leader election with refined coordination capabilities.

• Documentation

  • Added comprehensive RBAC reference documenting permissions matrix, ServiceAccount configuration, bootstrap versus runtime requirements, and optional third-party integrations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR expands and reorganizes Kubernetes RBAC configurations for the ZXporter Operator, introducing comprehensive permissions across multiple API groups, new metrics authentication roles, reorganized leader-election scope, and corresponding documentation. Changes span configuration files, Helm charts, controller annotations, and new RBAC documentation.

Changes

Cohort / File(s)	Summary
Core RBAC Configuration config/rbac/role.yaml, helm-chart/zxporter/templates/zxporter-rbac.yaml	Expanded manager-role ClusterRole with permissions across core, apps, batch, apiregistration, autoscaling, datadoghq.com, karpenter.*, keda.sh, kubeflow.org, metrics.k8s.io, networking.k8s.io, policy, rbac.authorization.k8s.io, storage.k8s.io API groups. Simplified leader-election-role to coordination leases and events. Added two new ClusterRoles: devzero-zxporter-metrics-auth-role and devzero-zxporter-metrics-reader. Updated RoleBindings to reference expanded roles.
Documentation docs/rbac.md	New comprehensive RBAC documentation covering permissions matrix, bootstrap vs. runtime requirements, per-resource access, security considerations, third-party integrations, and graceful degradation for optional services.
Controller Annotations internal/controller/collectionpolicy_controller.go	Reorganized in-code RBAC annotations with new comment blocks for COLLECTION POLICY CRD MANAGEMENT, BOOTSTRAP PERMISSIONS, RUNTIME PERMISSIONS, and OPTIONAL THIRD-PARTY RESOURCES. Primarily documentation-centric changes with minimal functional impact.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Expanded RBAC rules across multiple API groups require careful validation to ensure adherence to least-privilege principles
• New ClusterRoles (devzero-zxporter-metrics-auth-role, devzero-zxporter-metrics-reader) and their bindings need verification
• Permission scope changes and restructured apiGroups blocks across config/rbac/role.yaml and Helm chart must be cross-verified for consistency
• Heterogeneous change types (config, manifests, annotations, new docs) demand separate reasoning for each cohort

Possibly related PRs

• [zxp] adding monitoring for more karpenter types #184: Modifies same RBAC files to expand karpenter resources (nodeoverlays, aksnodeclasses, gcenodeclasses, ocinodeclasses) in config and controller annotations.
• update helm for zxporter rbac #172: Updates Helm RBAC manifest with manager-role expansions and metrics roles/bindings, overlapping with this PR's manifest changes.

Suggested reviewers

• sandipanpanda
• Ignas

Poem

🐰 The RBAC matrix grows with care,
Permissions sprouting everywhere!
Metrics auth and leaders lean,
Third-party bridges now convene,
Security layers, structured and fair! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update RBAC permissions' directly and clearly summarizes the main change across all modified files (role.yaml, rbac.md, zxporter-rbac.yaml, and collectionpolicy_controller.go), which all involve RBAC permission updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tzvonimir/update-rbac-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

docs/rbac.md (2)

9-15: Consider adding blank lines around tables for markdownlint compliance

The three permission tables start immediately after headings. Adding a blank line before and after each table (Main Operator ClusterRole, Conditional Third-Party Permissions, Leader Election Role) will satisfy MD058 and improve readability.

Also applies to: 57-61, 79-83

---

274-288: Clarify “runtime” write permissions vs overall RBAC capabilities

The “two-phase permission model” section says the runtime phase “operates with minimal write permissions (only ConfigMap updates)”. That’s accurate for what the Go controller intends to do at runtime, but the bound ServiceAccount also retains bootstrap-capable rights (e.g., RBAC and metrics-server resources) from the ClusterRole. Consider rephrasing to make it explicit that:

• Bootstrap permissions remain granted at the RBAC level, but
• Only ConfigMap updates are exercised by the controller during normal runtime.

This keeps the security description precise without changing behavior.

helm-chart/zxporter/templates/zxporter-rbac.yaml (1)

1-7: RBAC manifest structure looks solid; consider tweaking the header comment

The split between:

• devzero-zxporter-leader-election-role (leases/events/configmaps in the operator namespace),
• devzero-zxporter-manager-role (bootstrap + runtime + optional third‑party monitoring), and
• the new metrics auth/reader ClusterRoles

is clear and aligns with the controller’s RBAC annotations and the new docs.

One small nit: the header comment (“This role contains permissions needed for… 2. Metrics server bootstrap installation”) reads as if the Role handles metrics-server bootstrap, but those permissions actually live in the devzero-zxporter-manager-role ClusterRole below. Consider rewording the comment to refer to “this file” or explicitly to the manager ClusterRole to avoid confusion.

Also applies to: 113-177, 425-501

config/rbac/role.yaml (1)

7-18: Manager ClusterRole RBAC updates align with controller annotations; optional tightening for ConfigMaps

The added/updated rules for:

• configmaps (get,list,update,watch),
• serviceaccounts/services (create + read),
• apiregistration.k8s.io/apiservices (now including watch), and
• apps/deployments (create + read)

bring manager-role in line with the controller’s kubebuilder RBAC annotations and the Helm devzero-zxporter-manager-role, which is great for reducing drift between paths.

If you ever want stricter least‑privilege for non‑Helm installs, you could consider scoping the configmaps update permission to just the operator’s config ConfigMap (e.g., by splitting into a namespaced Role and/or using resourceNames). Not required for correctness, but it would better reflect the intent that only that ConfigMap is modified.

Also applies to: 41-52, 62-71, 82-92

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c11ef2 and 54094b7.

⛔ Files ignored due to path filters (4)

• dist/backend-install.yaml is excluded by !**/dist/**
• dist/install.yaml is excluded by !**/dist/**
• dist/installer_updater.yaml is excluded by !**/dist/**
• dist/zxporter.yaml is excluded by !**/dist/**

📒 Files selected for processing (4)

• config/rbac/role.yaml (3 hunks)
• docs/rbac.md (1 hunks)
• helm-chart/zxporter/templates/zxporter-rbac.yaml (9 hunks)
• internal/controller/collectionpolicy_controller.go (3 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/rbac.md

[grammar] ~276-~276: Ensure spelling is correct
Context: ... ### Principle of Least Privilege The zxporter operator follows a two-phase permission...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🪛 markdownlint-cli2 (0.18.1)

docs/rbac.md

10-10: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

---

58-58: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

---

79-79: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build Docker Image
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

internal/controller/collectionpolicy_controller.go (1)

139-245: RBAC annotation reorganization looks consistent with manifests and usage

The new kubebuilder RBAC sections (CRD management, bootstrap, runtime, optional third‑party) line up with what the controller actually touches and with the expanded ClusterRole rules in config/rbac/role.yaml and the Helm RBAC template. The split between bootstrap (write-heavy) and runtime (mostly read-only, except ConfigMap updates) is clear and matches the docs.