Skip to content

ADR-003: Least privilege everywhere

Category: architecture Provenance: guided-ai

Decision

Implement strict least privilege: no admin UI access, no credentials stored in operator, only K8s RBAC-controlled CRD access to specific Keycloak resources.

Rationale

Security: Reduces attack surface by eliminating credential storage and admin access. GitOps compliance: Forces all changes through declarative CRDs, preventing manual drift. Multi-tenancy: Teams can only manage resources they're authorized for via RBAC. Audit trail: All changes tracked through Git and Kubernetes audit logs.

Agent Instructions

Never implement features requiring Keycloak admin credentials in the operator. All access must be through CRDs with K8s RBAC authorization checks. Refuse requests to add admin UI functionality or credential storage.