Skip to content

feat(report,operator): add support for least-privilege access#8982

Merged
gbartolini merged 4 commits intomainfrom
dev/report-improve
Nov 6, 2025
Merged

feat(report,operator): add support for least-privilege access#8982
gbartolini merged 4 commits intomainfrom
dev/report-improve

Conversation

@armru
Copy link
Member

@armru armru commented Oct 28, 2025
edited by gbartolini
Loading

Enable cnpg report operator to work with minimal permissions by making only the operator deployment required. All other resources (pods, secrets, config maps, events, webhooks, and OLM data) are now optional and collected on a best-efforts basis.

The command gracefully handles permission errors for those resources by logging clear warnings and continuing report generation with available data, rather than failing completely. This enables least-privileged access, where users may have limited, namespace-scoped permissions.

@armru armru requested a review from a team as a code owner October 28, 2025 15:52
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Oct 28, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Oct 28, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added enhancement 🪄 New feature or request ok to merge 👌 This PR can be merged labels Oct 28, 2025
@armru armru added no-issue do not backport This PR must not be backported - it will be in the next minor release and removed backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 ok to merge 👌 This PR can be merged labels Oct 28, 2025
@armru armru changed the title feat(report,operator): support namespace-scoped access feat(report,operator): reduce required permissions to run Oct 28, 2025
@armru armru changed the title feat(report,operator): reduce required permissions to run feat(report,operator): reduce the required permissions to run Oct 28, 2025
@armru armru changed the title feat(report,operator): reduce the required permissions to run feat(report): enable least-privilege access for report operator command Oct 28, 2025
@armru armru changed the title feat(report): enable least-privilege access for report operator command feat(plugin,report): enable least-privilege access for report operator command Oct 28, 2025
@armru armru requested a review from jsilvela as a code owner October 28, 2025 16:26
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Oct 28, 2025
@armru armru force-pushed the dev/report-improve branch from 729848c to a357c81 Compare October 28, 2025 16:28
@armru armru changed the title feat(plugin,report): enable least-privilege access for report operator command feat(report,operator): support least-privilege access Oct 29, 2025
@armru armru changed the title feat(report,operator): support least-privilege access feat(report,operator): add support for least-privilege access Oct 29, 2025
@armru armru removed the no-issue label Oct 29, 2025
@armru armru force-pushed the dev/report-improve branch from a02c2b0 to fafaaea Compare October 29, 2025 08:18
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels Oct 29, 2025
@armru armru added the no-issue label Oct 29, 2025
@mnencia mnencia force-pushed the dev/report-improve branch from 464bdfb to 6393fd4 Compare November 4, 2025 18:03
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Nov 4, 2025
@mnencia mnencia force-pushed the dev/report-improve branch from 6393fd4 to 9d90cdd Compare November 5, 2025 08:10
@mnencia
Copy link
Member

mnencia commented Nov 5, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Nov 5, 2025

@mnencia, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/19095422091

@mnencia mnencia force-pushed the dev/report-improve branch from 9d90cdd to 013ee66 Compare November 5, 2025 09:01
@mnencia
Copy link
Member

mnencia commented Nov 5, 2025

/ok-to-merge E2E has only unrelated failures

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Nov 5, 2025
armru added 3 commits November 6, 2025 21:46
@armru @gbartolini
feat(report,operator): support namespace-scoped access
39a70b2 
Enable `cnpg report operator` to work with namespace-scoped permissions
by making cluster-scoped resource collection optional instead of required.

The command now gracefully handles permission errors for webhooks, webhook
services, and OLM resources by logging warnings and continuing report
generation with available data, rather than failing completely.

Fixes issue where least-privilege users were blocked from
generating troubleshooting reports due to missing cluster-level
permissions for webhook and OLM resources.

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
feat: reduce further required permissions and add doc
55a165e 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
fix: nil exception, docs
97b44fa 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@gbartolini
docs: review
f22e0e2 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Nov 6, 2025
@gbartolini gbartolini merged commit c319be9 into main Nov 6, 2025
28 of 31 checks passed
@gbartolini gbartolini deleted the dev/report-improve branch November 6, 2025 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnencia mnencia mnencia approved these changes

@gbartolini gbartolini gbartolini approved these changes

@jbattiato jbattiato jbattiato approved these changes

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela is a code owner

Assignees

No one assigned

Labels

do not backport This PR must not be backported - it will be in the next minor release enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer no-issue ok to merge 👌 This PR can be merged size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@armru @mnencia @gbartolini @jbattiato @cnpg-bot