ADR-032: Minimal RBAC with namespaced service accounts

Category: architecture Provenance: human

Decision

Operator uses minimal RBAC permissions via service account. Operator chart creates SA with Role for its own namespace and ClusterRole for CRDs. Realm/Client charts create SAs with Roles for their namespaces only. RBAC is opt-in - operator has no access to user namespaces unless explicitly granted.

Rationale

Least privilege security model. Operator can't access user namespaces by default - prevents accidental or malicious access to unrelated resources. Users explicitly grant access by deploying realm/client charts with RBAC in their namespace. This allows multi-tenant clusters where teams don't trust each other. ClusterRole limited to CRD management (non-sensitive). Namespace-specific Roles prevent privilege escalation. Audit trail shows exactly which namespaces granted operator access. Security teams can verify operator can't access their namespace without their consent.

Agent Instructions

When designing operator permissions, follow least privilege. Operator manages its own namespace (deployment, config) via Role. Operator manages CRDs cluster-wide via ClusterRole. Operator does NOT get blanket access to all namespaces. Realm and Client charts deployed in user namespaces create SAs that grant operator access to manage resources in those specific namespaces only. Users opt in to operator access by deploying realm/client charts in their namespace.

Rejected Alternatives

Cluster-admin permissions for operator

Massive security risk. Operator could access any resource in cluster. Violates least privilege.

Single ClusterRole for all operations

Still too broad. Can't distinguish between operator's own namespace and user namespaces.

Opt-out model where operator has access by default

Security-by-default is better than security-by-opt-out. Users should explicitly grant access.