operator-sdk icon indicating copy to clipboard operation
operator-sdk copied to clipboard
verified publisher icon operator-framework

Rules of ClusterRoles with AggregationRule are not included in generated bundle permissions

Open zimnx opened this issue 5 months ago • 2 comments

ClusterRoles that utilize AggregationRule are often defined without any direct rules. Instead, their permissions are aggregated from other ClusterRoles that match the specified label selector.

However, the current permission generator logic only includes rules from ClusterRoles that are explicitly bound to ServiceAccounts via ClusterRoleBinding. As a result, ClusterRoles using AggregationRule are ignored, leading to incomplete or empty permission bundles.

Impact: Deployments relying on aggregated ClusterRoles may not receive the required permissions, requring a lot of manual work to copy and paste required permissions from number of ClusterRoles.

Expected Behavior: The generator should recognize and correctly include rules from ClusterRoles using AggregationRule, by resolving and aggregating the matching ClusterRoles.

zimnx avatar Aug 05 '25 16:08 zimnx

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Nov 04 '25 01:11 openshift-bot

/lifecycle frozen

acornett21 avatar Nov 04 '25 13:11 acornett21