number: 32
title: Minimal RBAC with namespaced service accounts
category: architecture
decision: Operator uses minimal RBAC permissions via service account. Operator chart
  creates SA with Role for its own namespace and ClusterRole for CRDs. Realm/Client
  charts create SAs with Roles for their namespaces only. RBAC is opt-in - operator
  has no access to user namespaces unless explicitly granted.
agent_instructions: When designing operator permissions, follow least privilege. Operator
  manages its own namespace (deployment, config) via Role. Operator manages CRDs cluster-wide
  via ClusterRole. Operator does NOT get blanket access to all namespaces. Realm and
  Client charts deployed in user namespaces create SAs that grant operator access
  to manage resources in those specific namespaces only. Users opt in to operator
  access by deploying realm/client charts in their namespace.
rationale: Least privilege security model. Operator can't access user namespaces by
  default - prevents accidental or malicious access to unrelated resources. Users
  explicitly grant access by deploying realm/client charts with RBAC in their namespace.
  This allows multi-tenant clusters where teams don't trust each other. ClusterRole
  limited to CRD management (non-sensitive). Namespace-specific Roles prevent privilege
  escalation. Audit trail shows exactly which namespaces granted operator access.
  Security teams can verify operator can't access their namespace without their consent.
provenance: human
rejected_alternatives:
- alternative: Cluster-admin permissions for operator
  reason: Massive security risk. Operator could access any resource in cluster. Violates
    least privilege.
- alternative: Single ClusterRole for all operations
  reason: Still too broad. Can't distinguish between operator's own namespace and
    user namespaces.
- alternative: Opt-out model where operator has access by default
  reason: Security-by-default is better than security-by-opt-out. Users should explicitly
    grant access.