higress-group · lexburner · Apr 23, 2026 · Apr 23, 2026
diff --git a/helm/core/templates/clusterrole.yaml b/helm/core/templates/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.gateway.rbac.enabled }}
+{{- if and .Values.gateway.rbac.enabled .Values.gateway.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

diff --git a/helm/core/templates/controller-clusterrole.yaml b/helm/core/templates/controller-clusterrole.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.controller.rbac.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -144,7 +145,4 @@ rules:
   - apiGroups: [""]
     verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
     resources: [ "serviceaccounts"]
-  # istio leader election need
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/helm/core/templates/controller-clusterrolebinding.yaml b/helm/core/templates/controller-clusterrolebinding.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.controller.rbac.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -13,3 +14,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "controller.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/core/values.yaml b/helm/core/values.yaml
@@ -454,6 +454,9 @@ gateway:
     # -- If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
     # when using http://gateway-api.org/.
     enabled: true
+    # -- If enabled, ClusterRole and ClusterRoleBinding will be created for the gateway.
+    # Set to false when cluster-level RBAC is pre-provisioned by a cluster admin.
+    create: true
 
   serviceAccount:
     # -- If set, a service account will be created. Otherwise, the default is used
@@ -588,6 +591,7 @@ controller:
   imagePullSecrets: []
 
   rbac:
+    # -- If enabled, ClusterRole and ClusterRoleBinding will be created for the controller. Set to false when cluster-level RBAC is pre-provisioned by a cluster admin.
     create: true
 
   serviceAccount:

diff --git a/helm/higress/README.md b/helm/higress/README.md
@@ -71,7 +71,7 @@ The command removes all the Kubernetes components associated with the chart and
 | controller.probe.initialDelaySeconds | int | `1` |  |
 | controller.probe.periodSeconds | int | `3` |  |
 | controller.probe.timeoutSeconds | int | `5` |  |
-| controller.rbac.create | bool | `true` |  |
+| controller.rbac.create | bool | `true` | If enabled, ClusterRole and ClusterRoleBinding will be created for the controller. Set to false when cluster-level RBAC is pre-provisioned by a cluster admin. |
 | controller.replicas | int | `1` | Number of Higress Controller pods |
 | controller.resources.limits.cpu | string | `"1000m"` |  |
 | controller.resources.limits.memory | string | `"2048Mi"` |  |
@@ -121,6 +121,7 @@ The command removes all the Kubernetes components associated with the chart and
 | gateway.podAnnotations."prometheus.io/scrape" | string | `"true"` |  |
 | gateway.podAnnotations."sidecar.istio.io/inject" | string | `"false"` |  |
 | gateway.podLabels | object | `{}` | Labels to apply to the pod |
+| gateway.rbac.create | bool | `true` | If enabled, ClusterRole and ClusterRoleBinding will be created for the gateway. Set to false when cluster-level RBAC is pre-provisioned by a cluster admin. |
 | gateway.rbac.enabled | bool | `true` | If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed when using http://gateway-api.org/. |
 | gateway.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. |
 | gateway.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. |

diff --git a/helm/higress/README.zh.md b/helm/higress/README.zh.md
@@ -70,7 +70,7 @@ helm delete higress -n higress-system
 | controller.probe.initialDelaySeconds | int | `1` | 初始延迟秒数 |
 | controller.probe.periodSeconds | int | `3` | 健康检查间隔秒数 |
 | controller.probe.timeoutSeconds | int | `5` | 超时秒数 |
-| controller.rbac.create | bool | `true` | 是否创建 RBAC 相关资源 |
+| controller.rbac.create | bool | `true` | 是否创建控制器的 ClusterRole 和 ClusterRoleBinding。当集群管理员已预先创建集群级 RBAC 资源时，可设为 false。 |
 | controller.replicas | int | `1` | Higress 控制器 Pod 的数量 |
 | controller.resources.limits.cpu | string | `"1000m"` | CPU 上限 |
 | controller.resources.limits.memory | string | `"2048Mi"` | 内存上限 |
@@ -117,6 +117,8 @@ helm delete higress -n higress-system
 | gateway.name | string | `"higress-gateway"` | 网关名称 |
 | gateway.networkGateway | string | `""` | 网络网关指定 |
 | gateway.nodeSelector | object | `{}` | 节点选择器 |
+| gateway.rbac.enabled | bool | `true` | 是否创建网关访问证书所需的 RBAC 资源。使用 Gateway API 时不需要开启。 |
+| gateway.rbac.create | bool | `true` | 是否创建网关的 ClusterRole 和 ClusterRoleBinding。当集群管理员已预先创建集群级 RBAC 资源时，可设为 false。 |
 | gateway.replicas | int | `2` | Higress Gateway pod 的数量 |
 | gateway.resources.limits.cpu | string | `"2000m"` | 容器资源限制的 CPU |
 | gateway.resources.limits.memory | string | `"2048Mi"` | 容器资源限制的内存 |