OCPCLOUD-1645: Scope capi-controllers RBAC to least-privilege

[stefanonardo]

Summary

• Replace wildcard RBAC rules (apiGroups: ['*'], resources: ['*'], verbs: ['*']) in the openshift-capi-controllers ClusterRole and capi-controllers Role with enumerated, auditable permissions
• Split namespaced resources out of the ClusterRole into namespace-scoped Roles in openshift-cluster-api, openshift-machine-api, and kube-system — secrets access is no longer cluster-wide
• Derived from code analysis of all controllers (capi-controllers + machine-api-migration) and cross-validated with audit2rbac on a live cluster

Permission justification

Each rule was derived from code analysis and validated against audit2rbac output from an AWS cluster with MachineAPIMigration enabled.

Confirmed by audit2rbac

Scope	API Group	Resource	Verbs	Code evidence
ClusterRole	config.openshift.io	infrastructures	get, list, watch	corecluster_controller.go:122, infracluster_controller.go:278, kubeconfig.go:85
ClusterRole	config.openshift.io	clusteroperators	get, list, watch, patch	operator_status.go:115,186, controller_status.go:295
ClusterRole	config.openshift.io	clusteroperators/status	update, patch	operator_status.go:186, controller_status.go:295
ClusterRole	config.openshift.io	featuregates, clusterversions	get, list, watch	featuregates.go:50-53
ClusterRole	apiextensions.k8s.io	customresourcedefinitions	get, list, watch	audit2rbac confirmed (userAgent: machine-api-migration)
ClusterRole	""	nodes	get, list, watch, patch, update	audit2rbac confirmed (userAgent: cluster-api-controller-manager)
Role: openshift-cluster-api	cluster.x-k8s.io	clusters	get, list, watch, create, patch	corecluster_controller.go:122,152, machine_sync_controller.go:857
Role: openshift-cluster-api	cluster.x-k8s.io	clusters/status	update, patch	corecluster_controller.go:216
Role: openshift-cluster-api	cluster.x-k8s.io	machines	get, list, watch, create, update, patch, delete	machine_sync_controller.go:220,656,686,1060
Role: openshift-cluster-api	cluster.x-k8s.io	machines/status	update, patch	machine_sync_controller.go:1365
Role: openshift-cluster-api	cluster.x-k8s.io	machinesets	get, list, watch, create, update, patch, delete	machineset_sync_controller.go:200,838,866,1191
Role: openshift-cluster-api	cluster.x-k8s.io	machinesets/status	update, patch	machineset_sync_controller.go:917
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsclusters	get, list, watch, create, patch	aws.go:57,90
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsclusters/status	update, patch	infracluster_controller.go:162
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsmachines	get, list, watch, create, update, patch, delete	machine_sync_mapi2capi_infrastructure.go:108,136,213
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsmachines/status	update, patch	machine_sync_mapi2capi_infrastructure.go:194
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsmachinetemplates	get, list, watch, patch, deletecollection	machineset_sync_controller.go:251,453,763,492
Role: openshift-cluster-api	""	secrets	get, list, watch, update, patch	secret_sync_controller.go:73,90,161, kubeconfig.go:138,171,209
Role: openshift-cluster-api	""	events	create	machine_sync_controller.go:180, machineset_sync_controller.go:151
Role: openshift-cluster-api	coordination.k8s.io	leases	get, update	Standard controller-runtime leader election
Role: openshift-machine-api	machine.openshift.io	machines	get, list, watch, create, update, patch, delete	machine_sync_controller.go:203,1391,1467,1039
Role: openshift-machine-api	machine.openshift.io	machines/status	update, patch	machine_sync_controller.go:1441, migratestatus.go:105
Role: openshift-machine-api	machine.openshift.io	machinesets	get, list, watch, update, patch, delete	machineset_sync_controller.go:190,943,1149
Role: openshift-machine-api	machine.openshift.io	machinesets/status	update, patch	machineset_sync_controller.go:996, migratestatus.go:105
Role: openshift-machine-api	machine.openshift.io	controlplanemachinesets	get, list, watch	infracluster_controller.go:285-288,412
Role: openshift-machine-api	""	secrets	get	secret_sync_controller.go:73 (worker-user-data source)
Role: openshift-machine-api	""	events	create, patch	machine_sync_controller.go:180

Not observed by audit2rbac — justified by code evidence

Scope	API Group	Resource	Verbs not observed	Justification
ClusterRole	config.openshift.io	clusteroperators	create, update	operator_status.go:119 — GetOrCreateClusterOperator creates CO if missing (first install).
Role: openshift-cluster-api	cluster.x-k8s.io	clusters/finalizers, machines/finalizers, machinesets/finalizers	update	Sync controllers set blockOwnerDeletion: true on ownerReferences (machine_sync_controller.go:577,867, machineset_sync_controller.go:635). Kubernetes requires update on the owner's finalizers subresource. Not captured by audit2rbac (validated by GC admission plugin, not a separate API call).
Role: openshift-cluster-api	cluster.x-k8s.io	clusters	update	Update path exists but only patch was triggered.
Role: openshift-cluster-api	""	secrets	create	secret_sync_controller.go:152, azure.go:131 — creates secrets if not found.
Role: openshift-cluster-api	""	events	patch	Event recorder can patch existing events. Only create was observed.
Role: openshift-cluster-api	coordination.k8s.io	leases	create, list, watch, patch, delete	create only on first leader election. list/watch/delete are standard controller-runtime patterns.
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	non-AWS resources	all	Platform-specific — identical code patterns to AWS. Can only be verified on respective platforms.
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	azureclusteridentities	get, create	Azure-only. azure.go:142 Get, :188 Create.
Role: openshift-cluster-api	infrastructure.cluster.x-k8s.io	awsmachinetemplates	create, update, delete	SSA patch and DeleteAllOf were used instead.
Role: openshift-machine-api	machine.openshift.io	machinesets	create	machineset_sync_controller.go — creates MAPI MachineSets during CAPI→MAPI sync. Only MAPI→CAPI direction was tested.
Role: kube-system	""	secrets	get	vSphere credentials. vsphere.go:157 — only exercised on vSphere clusters.

Test plan

• make lint passes
• Phase 1: Deployed with wildcard RBAC on AWS cluster, ran e2e (40/40 passed), collected audit logs, ran audit2rbac to establish baseline
• Phase 1: Produced gap report — all gaps justified by code evidence
• Phase 2: Applied enumerated RBAC — 0 forbidden errors, ClusterOperator healthy, e2e 40/40 passed
• Phase 3: Split namespaced resources into namespace-scoped Roles — 0 forbidden errors, e2e 40/40 passed

🤖 Generated with Claude Code

Summary by CodeRabbit

• Security
  • Replaced broad wildcard RBAC with explicit, fine-grained permissions for cluster API controllers, narrowing access to specific API groups and resources.
  • Added scoped role bindings across namespaces so controllers receive only the minimum permissions required for their operations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@stefanonardo: This pull request references OCPCLOUD-1645 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Replace wildcard RBAC rules (apiGroups: ['*'], resources: ['*'], verbs: ['*']) in the openshift-capi-controllers ClusterRole and capi-controllers Role with enumerated, auditable permissions
• Derived from code analysis of all controllers (capi-controllers + machine-api-migration) and cross-validated with audit2rbac on a live cluster
• The cluster-capi-operator-pull-secret Role in openshift-config was already scoped and is unchanged

Test plan

• make lint passes
• Phase 1: Deployed with wildcard RBAC on AWS cluster, ran e2e (40/40 passed), collected audit logs, ran audit2rbac to establish baseline
• Phase 1: Produced gap report comparing audit2rbac output against planned rules — all gaps justified by code evidence (non-AWS platform paths, untriggered edge cases)
• Phase 2: Applied new RBAC to cluster, restarted controllers — 0 forbidden errors, ClusterOperator healthy
• Phase 2: Re-ran e2e tests with new RBAC — 40/40 passed

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 84f753a7-c461-4cef-a0bc-5e36739ee774

📥 Commits

Reviewing files that changed from the base of the PR and between 947e14a and 39788fd.

📒 Files selected for processing (2)

• manifests/0000_30_cluster-api_03_rbac_roles.yaml
• manifests/0000_30_cluster-api_04_rbac_bindings.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• manifests/0000_30_cluster-api_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api_03_rbac_roles.yaml

---

Walkthrough

Wildcard RBAC rules were removed and replaced with explicit ClusterRole and Role rules; RoleBindings were added to bind those Roles to the capi-controllers ServiceAccount in the target namespaces.

Changes

RBAC Permissions Hardening

Layer / File(s)	Summary
ClusterRole explicit permissions manifests/0000_30_cluster-api_03_rbac_roles.yaml	openshift-capi-controllers ClusterRole replaces a wildcard rule with explicit rules for OpenShift config resources (infrastructures, clusteroperators including status patch/update), apiextensions.k8s.io CRDs (customresourcedefinitions get/list/watch), and core cluster-scoped nodes (get/list/watch, patch/update).
Role: openshift-cluster-api explicit permissions manifests/0000_30_cluster-api_03_rbac_roles.yaml	capi-controllers Role in openshift-cluster-api now specifies leader-election leases, Cluster API cluster/machine/machineset resources (including status update/patch and finalizers), infrastructure.cluster.x-k8s.io provider cluster/machine/template resources (including status and deleteCollection where applicable), and core secrets/events verbs.
Role: openshift-machine-api explicit permissions manifests/0000_30_cluster-api_03_rbac_roles.yaml	capi-controllers Role in openshift-machine-api grants explicit machine.openshift.io permissions for machines, machinesets, controlplanemachinesets (including status), plus secrets get and events create/patch.
Role: kube-system narrowed secrets manifests/0000_30_cluster-api_03_rbac_roles.yaml	capi-controllers-kube-system Role in kube-system restricts permissions to core secrets get only, removing a prior wildcard rule.
RoleBindings for capi-controllers ServiceAccount manifests/0000_30_cluster-api_04_rbac_bindings.yaml	Add RoleBinding capi-controllers in openshift-machine-api and RoleBinding capi-controllers-kube-system in kube-system, both binding the respective Roles to the capi-controllers ServiceAccount in openshift-cluster-api.

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	Tests scale MachineSets to 2-3 replicas without SNO skip markers. Tests in machineset_migration_*_test.go will fail on Single Node OpenShift.	Add [Skipped:SingleReplicaTopology] label to scaling tests or guard them with exutil.IsSingleNode() runtime check and g.Skip() for SNO compatibility.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'OCPCLOUD-1645: Scope capi-controllers RBAC to least-privilege' directly and clearly summarizes the main change: converting wildcard RBAC permissions to explicitly scoped least-privilege rules.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in PR test files are static and deterministic, using descriptive titles without dynamic content like pod names, timestamps, UUIDs, or generated identifiers.
Test Structure And Quality	✅ Passed	PR #585 modifies only YAML Kubernetes manifests (RBAC rules/bindings), not Ginkgo test code. Custom check for test quality is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	PR only modifies YAML RBAC manifests; no Ginkgo e2e tests are added, so MicroShift compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are RBAC-only (Roles and RoleBindings); no deployment manifests, operator code, or controller definitions were modified, so topology-aware scheduling constraints are not applicable.
Ote Binary Stdout Contract	✅ Passed	OTE test files (e2e/e2e_test.go) only use fmt.Fprintf(os.Stderr) for process-level error output, which is allowed. No stdout contract violations in Ginkgo test setup code found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only Kubernetes RBAC manifest files (YAML), not Ginkgo e2e tests. The custom check applies only to new Ginkgo tests, which this PR does not add.
No-Weak-Crypto	✅ Passed	PR modifies only Kubernetes RBAC configuration files containing no cryptographic code, weak crypto algorithms, or token/secret comparisons.
Container-Privileges	✅ Passed	Modified files contain only RBAC Role/ClusterRole/RoleBinding definitions with no container specs, securityContext, or privilege escalation configurations to flag.
No-Sensitive-Data-In-Logs	✅ Passed	PR modifies only YAML manifest files (RBAC roles/bindings), which contain no logging statements or code that could expose sensitive data through logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[stefanonardo]

/jira refresh

[openshift-ci-robot]

@stefanonardo: This pull request references OCPCLOUD-1645 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

manifests/0000_30_cluster-api_03_rbac_roles.yaml (1)

246-256: 💤 Low value

Cluster-wide secrets access is intentional but worth documenting.

Trivy flags this rule because cluster-wide secrets management is a sensitive permission. However, this appears justified given:

• Secret Sync Controller needs cross-namespace access (MAPI ↔ CAPI namespaces)
• Kubeconfig Controller manages kubeconfig secrets
• The delete verb is intentionally omitted, demonstrating least-privilege
• This is a significant improvement over the previous wildcards

Consider adding a comment in the manifest documenting why cluster-wide scope is required, which helps future audits.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_30_cluster-api_03_rbac_roles.yaml` around lines 246 - 256, Add
an inline comment above the ClusterRole rule that grants resources: ["secrets"]
under apiGroups: [""] explaining why cluster-wide secrets access is required
(e.g., Secret Sync Controller must sync secrets between MAPI and CAPI namespaces
and the Kubeconfig Controller manages kubeconfig secrets), note that delete is
intentionally omitted to preserve least-privilege, and reference the controllers
(Secret Sync Controller, Kubeconfig Controller) so auditors can understand the
justification during reviews.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@manifests/0000_30_cluster-api_03_rbac_roles.yaml`:
- Around line 246-256: Add an inline comment above the ClusterRole rule that
grants resources: ["secrets"] under apiGroups: [""] explaining why cluster-wide
secrets access is required (e.g., Secret Sync Controller must sync secrets
between MAPI and CAPI namespaces and the Kubeconfig Controller manages
kubeconfig secrets), note that delete is intentionally omitted to preserve
least-privilege, and reference the controllers (Secret Sync Controller,
Kubeconfig Controller) so auditors can understand the justification during
reviews.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 76c3409f-8bf9-49a3-a6ff-eeb8fc36df3c

📥 Commits

Reviewing files that changed from the base of the PR and between 8ea8125 and cfd7831.

📒 Files selected for processing (1)

• manifests/0000_30_cluster-api_03_rbac_roles.yaml

[damdo]

/test ?

[stefanonardo]

/test required

[mdbooth]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[mdbooth]

/lgtm cancel

Haven't actually looked at this, yet. Was just checking if it was waiting on the pipeline controller. Wasn't sure it was, as normally you see the pipeline jobs listed but 'Waiting', but they were not present at all.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from mdbooth. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@manifests/0000_30_cluster-api_03_rbac_roles.yaml`:
- Around line 254-264: The ClusterRole currently grants cluster-wide read/write
on Secrets (apiGroups: "", resources: secrets, verbs:
get/list/watch/create/update/patch) which is too permissive; remove secret
permissions from the ClusterRole and instead create namespace-scoped Role +
RoleBinding pairs that grant only the needed secret verbs in the exact
namespaces touched by the secret-sync/kubeconfig flows, bind those Roles to the
capi-controllers ServiceAccount used by openshift-capi-controllers, and where
the set of secrets is fixed use resourceNames to restrict to specific Secret
objects; update any references to the removed ClusterRole permissions
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 954effa5-a923-4230-8052-f53063758493

📥 Commits

Reviewing files that changed from the base of the PR and between cfd7831 and 44913ce.

📒 Files selected for processing (1)

• manifests/0000_30_cluster-api_03_rbac_roles.yaml

[openshift-ci]

@stefanonardo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-techpreview	cfd7831	link	false	/test e2e-azure-ovn-techpreview
ci/prow/regression-clusterinfra-aws-ipi-techpreview-capi	cfd7831	link	false	/test regression-clusterinfra-aws-ipi-techpreview-capi
ci/prow/e2e-aws-capi-disconnected-techpreview	cfd7831	link	false	/test e2e-aws-capi-disconnected-techpreview
ci/prow/e2e-aws-capi-techpreview	cfd7831	link	true	/test e2e-aws-capi-techpreview
ci/prow/e2e-azure-capi-techpreview	cfd7831	link	true	/test e2e-azure-capi-techpreview
ci/prow/e2e-aws-capi-techpreview-post-install	cfd7831	link	true	/test e2e-aws-capi-techpreview-post-install
ci/prow/e2e-vsphere-capi-techpreview	cfd7831	link	true	/test e2e-vsphere-capi-techpreview
ci/prow/e2e-metal3-capi-techpreview	cfd7831	link	false	/test e2e-metal3-capi-techpreview
ci/prow/e2e-aws-ovn	cfd7831	link	true	/test e2e-aws-ovn
ci/prow/e2e-openstack-capi-techpreview	cfd7831	link	true	/test e2e-openstack-capi-techpreview
ci/prow/e2e-gcp-capi-techpreview	cfd7831	link	true	/test e2e-gcp-capi-techpreview
ci/prow/e2e-openstack-ovn-techpreview	cfd7831	link	false	/test e2e-openstack-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.