Skip to content

Adds namespace-scoped RBAC for reduced permissions mode.#666

Open
YossiMarzuk wants to merge 3 commits into
masterfrom
WZ-99770-SM-Outpost-BYOC-reducePermissions-should-grant-the-permissions-only-for-the-wiz-namespaces
Open

Adds namespace-scoped RBAC for reduced permissions mode.#666
YossiMarzuk wants to merge 3 commits into
masterfrom
WZ-99770-SM-Outpost-BYOC-reducePermissions-should-grant-the-permissions-only-for-the-wiz-namespaces

Conversation

@YossiMarzuk

@YossiMarzuk YossiMarzuk commented Feb 19, 2026

Copy link
Copy Markdown
Collaborator

Previously, reducedPermissions mode granted cluster-wide access to Flux CRs (gitrepositories, kustomizations). This moves those permissions to be namespace-scoped via the new wizFluxNamespace option, along with secrets and configmaps access needed for Helm release management.

Changes:

  • Removed gitrepositories and kustomizations from ClusterRole
  • Added templates/outpostController.fluxNamespace.rbac.yaml with Role and RoleBinding for the wizFluxNamespace
  • Added wizFluxNamespace option to outpostController in values.yaml

When reducedPermissions is true, and wizFluxNamespace is set, the controller gets:

  • Cluster-wide: nodes (read)
  • Release namespace: full admin
  • wizFluxNamespace: secrets, configmaps, gitrepositories, kustomizations

@YossiMarzuk YossiMarzuk enabled auto-merge (squash) February 19, 2026 11:47
@YossiMarzuk YossiMarzuk force-pushed the WZ-99770-SM-Outpost-BYOC-reducePermissions-should-grant-the-permissions-only-for-the-wiz-namespaces branch 3 times, most recently from dcefd78 to 15fd83e Compare February 19, 2026 16:05
@YossiMarzuk
Adds namespace-scoped RBAC for reduced permissions mode.
63ca063 
Previously, reducedPermissions mode granted cluster-wide access to Flux CRs (gitrepositories, kustomizations). This moves those permissions to be namespace-scoped via the new wizFluxNamespace option, along with secrets and configmaps access needed for Helm release management.

Changes:
- Removed gitrepositories and kustomizations from ClusterRole
- Added templates/outpostController.fluxNamespace.rbac.yaml with Role and RoleBinding for the wizFluxNamespace
- Added wizFluxNamespace option to outpostController in values.yaml

When reducedPermissions is true and wizFluxNamespace is set, the controller gets:
- Cluster-wide: nodes (read)
- Release namespace: full admin
- wizFluxNamespace: secrets, configmaps, gitrepositories, kustomizations
@YossiMarzuk YossiMarzuk force-pushed the WZ-99770-SM-Outpost-BYOC-reducePermissions-should-grant-the-permissions-only-for-the-wiz-namespaces branch from 15fd83e to 63ca063 Compare February 19, 2026 16:34
@YossiMarzuk

YossiMarzuk commented Feb 19, 2026

Copy link
Copy Markdown
Collaborator Author

Following my last discussion with @eyal-moscovici
Applied the following:

Replace fluxRbacEnabled with wizFluxNamespace

Changes:

  • Replaced boolean fluxRbacEnabled with explicit wizFluxNamespace string parameter
  • Default value is wiz-flux-system
  • When wizFluxNamespace is set, creates Role and RoleBinding in the specified namespace
  • When wizFluxNamespace is empty, auto-derives namespace from release namespace prefix (e.g., wiz-default -> wiz-flux-system, coco-default -> coco-flux-system, default -> flux-system)
  • Bumped chart version to 2026.02.19

Files changed:

  • values.yaml
  • templates/outpostController.fluxNamespace.rbac.yaml
  • Chart.yaml

Permissions:

reducedPermissions: false

  • ClusterRoleBinding to cluster-admin (full cluster access)

reducedPermissions: true

  • ClusterRole: nodes (get, list, watch)
  • Role in release namespace (e.g., wiz-default): full namespace admin (*, *, *)
  • Role in flux namespace (e.g., wiz-flux-system):
    • secrets, configmaps: get, list, watch, create, update, delete
    • gitrepositories (source.toolkit.fluxcd.io): create, delete, get, list, patch, update, watch
    • kustomizations (kustomize.toolkit.fluxcd.io): create, delete, get, list, patch, update, watch

Tested:

  • helm template with default wizFluxNamespace (wiz-flux-system) - verified Role/RoleBinding created in wiz-flux-system
  • helm template with empty wizFluxNamespace in wiz-default namespace - verified auto-derived to wiz-flux-system
  • helm template with empty wizFluxNamespace in default namespace - verified auto-derived to flux-system
  • helm template with empty wizFluxNamespace in coco-default namespace - verified auto-derived to coco-flux-system
  • helm template with custom wizFluxNamespace (my-custom-ns) - verified Role/RoleBinding created in my-custom-ns
  • Deployed to AKS cluster in wiz-default namespace with reducedPermissions=true, verified Flux RBAC created in wiz-flux-system

@YossiMarzuk
Merge branch 'master' into WZ-99770-SM-Outpost-BYOC-reducePermissions…
835e158 
…-should-grant-the-permissions-only-for-the-wiz-namespaces
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yarinm yarinm Awaiting requested review from yarinm
@EladGabay EladGabay Awaiting requested review from EladGabay
@eyal-moscovici eyal-moscovici Awaiting requested review from eyal-moscovici

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@YossiMarzuk