feat(rbac): bundle rbac-proxy + validator-task-submitter ClusterRoles#271
Merged
bdchatham merged 1 commit intoMay 18, 2026
Merged
Conversation
These were templates in manifests/rbac/ that operators had to apply out-of-band. Bundle them in config/rbac/ so any kustomize install ships them automatically. Drop the sei- name prefix — kustomize namePrefix sei-k8s- adds it (final in-cluster names: sei-k8s-rbac-proxy, sei-k8s-validator-task-submitter). The task_submitter_role_binding.yaml roleRef tracks the renamed ClusterRole. Sample bindings in manifests/samples/ updated to reference the prefixed names operators will see in cluster.
|
You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace. To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two ClusterRoles that the always-on
kube-rbac-proxy(PR #267) depends on were template-only undermanifests/rbac/and never bundled — in-cluster verification showed they were missing in dev/harbor/prod, so any new pod cycle would have stalled on the proxy's first TokenReview/SAR.This PR moves them into
config/rbac/so they ship with the kustomize install:rbac-proxy—create tokenreviews + subjectaccessreviews(for kube-rbac-proxy to authenticate callers)validator-task-submitter—create + get seinodetasks(the virtual resource the proxy's SAR is keyed on)Names drop the redundant
sei-prefix; kustomizenamePrefix: sei-k8s-produces the in-cluster formssei-k8s-rbac-proxyandsei-k8s-validator-task-submitter. The existingtask_submitter_role_binding.yamlroleRef tracks the rename (the previous roleRef name was unprefixed and would not have resolved post-bundle anyway).Sample bindings in
manifests/samples/updated to reference the prefixed in-cluster names operators will actually see.Test plan
kubectl kustomize config/defaultrenders both ClusterRoles with thesei-k8s-prefixtask_submitter_role_binding.yamlroleRef is rewritten consistently inside the bundlemake testpasses (lint pre-existing failures unrelated to this YAML-only change)listverb trimmed on the K8s reviewer's least-privilege finding (controller only callscreate+get)Deployment ordering
This PR must merge before the corresponding platform-side PR that adds the
sei-k8s-rbac-proxyClusterRoleBinding. The platform overlay pullsconfig/default?ref=main, so on the next Flux sync after this merges, the ClusterRoles exist and the platform CRB's roleRef resolves. Reverse order = harmless dangling-ref warning until this lands.Existing pods predate the proxy and are unaffected by either order — only future pod cycles need the chain to be intact.
Deferred follow-ups (filed separately)
kube-rbac-proxycontainer soseid-node(shared with seictl) stops carryingtokenreviews/subjectaccessreviews🤖 Generated with Claude Code