[Improvement] Fine-grained control over RBAC object creation

[pmokeev]

The Helm chart currently provides RBAC configuration options (link):

rbac:
  enabled: false
  additionalPolicyRules: []

However, these settings are only applied to the kubeblocks-rbac-manager-role ClusterRole (link). Meanwhile, other RBAC objects like the kubeblocks-rbac-role ClusterRole are created unconditionally, regardless of the actual permissions needed.

This creates unnecessary RBAC objects that may grant excessive permissions beyond what's required for basic kubeblocks functionality (creating and managing database clusters). For example, does the kubeblocks-manager really need to operate on kind: Role objects?

I suggest: Apply the same configuration pattern (similar to the one referenced here) to all RBAC resources, allowing users to enable/disable creation of each RBAC object. When disabled, users would be responsible for creating and managing these RBAC resources outside of the chart.

[pmokeev]

Also, could you clarify why this empty ConfigMap is needed when hostNetwork is set to false?

[pmokeev]

Additionally, could you clarify where the DATA_PLANE_TOLERATIONS and DATA_PLANE_AFFINITY variables in the {{ include "kubeblocks.fullname" . }}-manager-config ConfigMap (this, I suppose) are coming from?

I couldn’t find where they are being explicitly added.

[shanshanying]

1. the RBAC configuration options you mentioned here is for the RBACs of database Clusters created by KubeBlocks
2. the host-ports configmap is for database Clusters who are running in Host Network Mode
3. DATA_PLANE_TOLERATIONS and DATA_PLANE_TOLERATIONS are not used any more since 1.0.2.

[pmokeev]

@shanshanying why does the operator need the kubeblocks-rbac-role ClusterRole with the following permissions?"

PolicyRule:
  Resources                               Non-Resource URLs  Resource Names  Verbs
  ---------                               -----------------  --------------  -----
  roles.rbac.authorization.k8s.io         []                 []              [create delete get list patch update]
  roles.rbac.authorization.k8s.io/status  []                 []              [get patch update]

[pmokeev]

I found that kind: Instance has an InstanceAssistantObjects field, which contains:

type InstanceAssistantObject struct {
	Service        *corev1.Service        `json:"service,omitempty"`
	ConfigMap      *corev1.ConfigMap      `json:"configMap,omitempty"`
	Secret         *corev1.Secret         `json:"secret,omitempty"`
	ServiceAccount *corev1.ServiceAccount `json:"serviceAccount,omitempty"`
	Role           *rbacv1.Role           `json:"role,omitempty"`
	RoleBinding    *rbacv1.RoleBinding    `json:"roleBinding,omitempty"`
}

However, it doesn't seem to be really used anywhere. Does the operator really need these permissions?

[shanshanying]

AFAIC, This kubeblocks-rbac-role is added for back-compatibility with that of KB v0.9 (those clusters upgraded from KB 0.9 to KB 1.0 may need it ) and not really used in KB 1.0 so far.