Skip to content

chore: Remove unused RBAC permission for product role#774

Merged
NickLarsenNZ merged 2 commits intomainfrom
chore/rbac-review2
Apr 10, 2026
Merged

chore: Remove unused RBAC permission for product role#774
NickLarsenNZ merged 2 commits intomainfrom
chore/rbac-review2

Conversation

@NickLarsenNZ
Copy link
Copy Markdown
Member

@NickLarsenNZ NickLarsenNZ commented Apr 10, 2026

Part of stackabletech/issues#798

Follow up of https://github.com/stackabletech/airflow-operator/pull/767/changes#r3014650545

Details

The events rule in the product ClusterRole (lines 31-38) looks safe to remove. Here's why:

  1. Airflow does not publish Kubernetes events. No Airflow component (scheduler, webserver, worker, etc.) calls create_namespaced_event or uses EventsV1Api to create Event objects.
  2. Airflow only reads events, optionally. The KubernetesPodOperator can read events for failed pods via CoreV1Api.list_namespaced_event (core "" API group, not events.k8s.io), and even that is off by default in the official Airflow Helm chart.
  3. The comment is inaccurate. "Airflow components publish Kubernetes events" - they don't. The operator publishes events (that's correctly handled in clusterrole-operator.yaml), but the workload pods don't.
  4. The official Airflow Helm chart only grants get/list on core API events, and makes even that optional (rbac.events = false by default).

@NickLarsenNZ NickLarsenNZ self-assigned this Apr 10, 2026
@NickLarsenNZ NickLarsenNZ moved this to Development: Waiting for Review in Stackable Engineering Apr 10, 2026
@NickLarsenNZ NickLarsenNZ mentioned this pull request Apr 10, 2026
Open
17 tasks
razvan
razvan reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@razvan razvan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe also update the pr list in the changelog ?

@NickLarsenNZ
Copy link
Copy Markdown
Member Author

NickLarsenNZ commented Apr 10, 2026

maybe also update the pr list in the changelog ?

Oops, yeah I had that sitting here locally.

@NickLarsenNZ NickLarsenNZ requested a review from razvan April 10, 2026 12:13
@NickLarsenNZ NickLarsenNZ enabled auto-merge April 10, 2026 12:13
razvan
razvan approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@razvan razvan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@NickLarsenNZ NickLarsenNZ added this pull request to the merge queue Apr 10, 2026
Merged via the queue into main with commit e21c547 Apr 10, 2026
12 checks passed
@NickLarsenNZ NickLarsenNZ deleted the chore/rbac-review2 branch April 10, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@razvan razvan razvan approved these changes

Assignees

@NickLarsenNZ NickLarsenNZ

Labels

None yet

Projects

Stackable Engineering
Status: Development: Waiting for Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NickLarsenNZ @razvan