Automate helm ClusterRole RBAC sync from kubebuilder#4686
Open
shraddhabang wants to merge 1 commit intokubernetes-sigs:mainfrom
Open
Automate helm ClusterRole RBAC sync from kubebuilder#4686shraddhabang wants to merge 1 commit intokubernetes-sigs:mainfrom
shraddhabang wants to merge 1 commit intokubernetes-sigs:mainfrom
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
approved
wweiwei-li
reviewed
Apr 15, 2026
|
|
||
| changed_files=$(git status --porcelain --untracked-files=no -- helm/aws-load-balancer-controller/templates/rbac.yaml || true) | ||
| if [ -n "${changed_files}" ]; then | ||
| echo "Detected that helm RBAC is out of sync with kubebuilder RBAC; run 'make sync-rbac'" |
Collaborator
There was a problem hiding this comment.
The error message is suggesting run make, do we need to also add sync-rbac to make file. Right now it is only part of make manifests
wweiwei-li
approved these changes
Apr 15, 2026
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shraddhabang, wweiwei-li The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
We've had repeated issues where developers add new kubebuilder RBAC markers but forget to update the helm chart's ClusterRole, causing helm-installed controllers to have missing permissions. The helm rbac.yaml was maintained by hand, separate from the kubebuilder-generated role.yaml, and over time they drifted — different resource groupings, missing rules, verb ordering mismatches.
Description
This PR eliminates that problem by making role.yaml the single source of truth for the controller's ClusterRole rules. The sync now runs automatically as part of make manifests, so there's no extra step to remember. A CI check (
verify-rbac-syncinquick-ci) catches any drift if someone bypasses the Makefile.Scope:
This sync only covers the ClusterRole rules (the controller's own permissions). The following are not synced and remain hand-maintained in the helm chart and/or the sync script:
If any of these need changes, update
sync-rbac-to-helm.shdirectly.Checklist
README.md, or thedocsdirectory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯