Skip to content

K8s: RBAC feature#3385

Open
kaitlynmichael wants to merge 10 commits into
mainfrom
DOC-6678
Open

K8s: RBAC feature#3385
kaitlynmichael wants to merge 10 commits into
mainfrom
DOC-6678

Conversation

@kaitlynmichael

@kaitlynmichael kaitlynmichael commented May 29, 2026

Copy link
Copy Markdown
Contributor

Note

Low Risk
Documentation-only changes (new pages, moved paths, relrefs); no application code or runtime behavior.

Overview
Adds Kubernetes-native RBAC documentation for Redis Software on Kubernetes: users, ACLs, database- and cluster-scoped roles, and role bindings as app.redislabs.com/v1alpha1 CRDs, plus a migration guide from deprecated RedisEnterpriseDatabase.spec.rolesPermissions (including allowREDBRolesPermissions on the REC).

Reorganizes the security section into Access control, Authentication (manage-rec-credentials, LDAP, SSO, configuration secrets), and Certificates and encryption (cert-manager, client certs, internode encryption). Moved pages keep Hugo aliases so old URLs still resolve; cross-links are updated across operate/kubernetes and the operate product comparison table.

Reviewed by Cursor Bugbot for commit afd3434. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

DOC-6678

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

Staging links:
https://redis.io/docs/staging/DOC-6678/operate/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/active-active/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/active-active/create-aa-crdb-cli/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/architecture/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/manage-acls/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/manage-bindings/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/manage-roles/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/manage-users/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/access-control/migrate-rolespermissions/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/allow-resource-adjustment/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/authentication/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/authentication/configuration-secrets/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/authentication/ldap/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/authentication/manage-rec-credentials/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/authentication/sso/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/certificates/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/certificates/add-client-certificates/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/certificates/cert-manager/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/certificates/internode-encryption/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/certificates/manage-rec-certificates/
https://redis.io/docs/staging/DOC-6678/operate/kubernetes/security/vault/

@jit-ci

jit-ci Bot commented May 29, 2026

Copy link
Copy Markdown

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR


Security scan by Jit

@dwdougherty dwdougherty left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed this PR last night while it was a draft with no reviewers assigned. I guess I was bored. Anyway, language LGTM. Therre are, however, a few bad links. Here's the output from hugo serve on your branch:

WARN  [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-users": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:63:18": page not found
WARN  [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-roles": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:64:18": page not found
WARN  [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-acls": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:65:17": page not found
WARN  [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-bindings": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:66:26": page not found
WARN  [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/migrate-rolespermissions": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:67:40": page not found

I'll go ahead and approve so you're not held up.

Postscript: You'll probably want to add the other two reviewers back now that I've approved. Sorry!

@kaitlynmichael kaitlynmichael requested a review from zcahana June 8, 2026 13:31
@kaitlynmichael kaitlynmichael marked this pull request as ready for review June 17, 2026 15:41

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 69897e2. Configure here.

Comment thread content/operate/kubernetes/security/access-control/manage-roles.md
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@zcahana zcahana left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kaitlynmichael. This documentation looks great.
I've made a partial review so far - I still have a couple of more pages to go through - but figured I'll already send the first batch of comments. I'll make sure to complete this soon.

Comment thread content/operate/kubernetes/security/certificates/_index.md Outdated
Comment thread content/operate/kubernetes/security/authentication/_index.md Outdated
Comment thread content/operate/kubernetes/security/authentication/_index.md Outdated
Comment thread content/operate/kubernetes/security/access-control/_index.md Outdated
Comment thread content/operate/kubernetes/security/access-control/_index.md Outdated

## Related topics

- [Redis Software for Kubernetes operator API reference]({{< relref "/operate/kubernetes/reference/api" >}}) — field-by-field specification for every CRD in the `app.redislabs.com/v1alpha1` group.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These still don't include the RBAC CRDs reference; Just making sure that we'll have this available by the time of release.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm waiting to run this workflow until we have a release candidate.


## Before you start

- Requires Redis Software for Kubernetes operator 8.0.24-TBD or later.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a mechanism (or a Jira) to un-TBD this?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will once I know the version number for Duckburg

Comment thread content/operate/kubernetes/security/access-control/manage-users.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-users.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-acls.md Outdated

@zcahana zcahana left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Part II for the review.

| `RedisEnterpriseRole` | `DBMember`, `DBViewer`, `None` |
| `RedisEnterpriseClusterRole` | `Admin`, `ClusterMember`, `ClusterViewer`, `DBMember`, `DBViewer`, `UserManager`, `None` |

`None` grants no management permissions and is the default when `managementRole` is omitted. For what each Redis Software role grants, see [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) and [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Database-scoped role definitions link is more about datapath-access to databases; It is not really about database-scoped management roles (new upcoming feature, also in RS). I'm not sure whether these already have docs... but if it does, then this should probably link to it.

Comment thread content/operate/kubernetes/security/access-control/manage-roles.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-roles.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-roles.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-bindings.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-bindings.md Outdated
Comment thread content/operate/kubernetes/security/access-control/manage-bindings.md Outdated

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another migration aspect (besides migrating from the deprecated rolesPermissions), is the use of "internal object references". See here for relevant information about this. Let's consider expanding the scope of this page to cover both migration aspects (and/or, maybe, mention in each of the role/binding pages?)

@kaitlynmichael kaitlynmichael requested review from zcahana July 8, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants