apecloud · cjc7373 · Jan 23, 2025 · Jan 23, 2025 · Jan 24, 2025 · wangyelei
@@ -489,6 +489,8 @@ type ComponentDefinitionSpec struct {
 	// for the Component based on the specified policy rules.
 	// This ensures that the Pods in the Component has appropriate permissions to function.
 	//
+	// To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+	//
 	// This field is immutable.
 	//
 	// +optional

@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-

@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-

@@ -0,0 +1,21 @@
+{{- if .Values.rbac.enabled }}
+# Additional role that is required for addons. Can be defined by user.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubeblocks.fullname" . }}-rbac-manager-additional-role
+  labels:
+    {{- include "kubeblocks.labels" . | nindent 4 }}
+rules:
+# rabbitmq needs this
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+# user defined rules
+{{- with .Values.rbac.additionalPolicyRules }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
@@ -69,10 +69,15 @@ fullnameOverride: ""
 ##
 ## If it is set to false, then you will need to create the service account
 ## named `cluster.ComponentSpec.ServiceAccountName` and the corresponding (cluster) role binding
-## manually or through the cluster's Helm template, as shown in the example:
-##   helm install mysql apecloud-mysql-cluster
+## manually.
+##
+## @param rbac.additionalPolicyRules
+## In your Componentdefinition CR's `policyRules` field, you can only define rules kubeblocks
+## already has. If you want to define a rule that kubeblocks does not have, you can add it here. 
+## This field is `[]rbacv1.PolicyRule`.
 rbac:
   enabled: true
+  additionalPolicyRules: []
 
 ## Deployment update strategy.
 ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

diff --git a/docs/developer_docs/api-reference/cluster.md b/docs/developer_docs/api-reference/cluster.md
@@ -1492,6 +1492,7 @@ Kubernetes resources within the namespace.</p>
 <p>The purpose of this field is to automatically generate the necessary RBAC roles
 for the Component based on the specified policy rules.
 This ensures that the Pods in the Component has appropriate permissions to function.</p>
+<p>To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.</p>
 <p>This field is immutable.</p>
 </td>
 </tr>
@@ -5362,6 +5363,7 @@ Kubernetes resources within the namespace.</p>
 <p>The purpose of this field is to automatically generate the necessary RBAC roles
 for the Component based on the specified policy rules.
 This ensures that the Pods in the Component has appropriate permissions to function.</p>
+<p>To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.</p>
 <p>This field is immutable.</p>
 </td>
 </tr>