MLE-30476/BUGFix-manager-rbac#172
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates the Helm chart RBAC for the MarkLogic Operator to support additional operator behaviors (emitting Kubernetes Events and reading StorageClasses), including namespace-scoped mode where StorageClasses require cluster-scoped RBAC.
Changes:
- Added RBAC permissions for creating/patching/updating
eventsin both core ("") andevents.k8s.ioAPI groups. - Added RBAC permissions to read
storageclasses, including introducing a namespace-modeClusterRole/ClusterRoleBindingfor StorageClass reads. - Updated the
helmifypost-processing script to generate the corresponding RBAC blocks.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| hack/helmify-post-process.sh | Updates the generated manager-rbac.yaml template content to include Events/PVC/StorageClass-related RBAC. |
| charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml | Extends chart RBAC to allow emitting Events and reading StorageClasses; adds namespace-mode StorageClass reader ClusterRole/Binding. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rwinieski
requested review from
barkhachoithani,
pengzhouml,
sumanthravipati and
vitalykorolev
vitalykorolev
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the RBAC (Role-Based Access Control) configuration for the MarkLogic Operator to ensure correct permissions for managing Kubernetes events, persistent volume claims (PVCs), and storage classes. The changes add necessary permissions for the operator to emit events, manage PVCs (including their status), and, importantly, introduce a dedicated ClusterRole and ClusterRoleBinding for reading storage classes, which is required for PVC resizing operations in namespace mode.
RBAC enhancements for operator functionality:
Event and PVC permissions:
"") andevents.k8s.ioAPI groups, ensuring it can emit Kubernetes events as needed. [1] [2] [3] [4]persistentvolumeclaimsand to getpersistentvolumeclaims/status, supporting advanced PVC management. [1] [2]StorageClass access for PVC resizing:
ClusterRoleandClusterRoleBinding(marklogic-operator-storageclass-reader) to allow the operator to get, list, and watchstorageclasses, which is necessary for readingallowVolumeExpansionand performing PVC resize operations. This addresses the limitation that storage classes are cluster-scoped and cannot be managed by a namespaced Role. [1] [2] [3]