K8s: RBAC feature#3385
Conversation
🛡️ Jit Security Scan Results✅ No security findings were detected in this PR
Security scan by Jit
|
There was a problem hiding this comment.
I reviewed this PR last night while it was a draft with no reviewers assigned. I guess I was bored. Anyway, language LGTM. Therre are, however, a few bad links. Here's the output from hugo serve on your branch:
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-users": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:63:18": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-roles": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:64:18": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-acls": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:65:17": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/manage-bindings": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:66:26": page not found
WARN [en] REF_NOT_FOUND: Ref "/operate/kubernetes/security/access-control/migrate-rolespermissions": "/Users/david.dougherty/src/docs/content/operate/kubernetes/security/access-control/_index.md:67:40": page not found
I'll go ahead and approve so you're not held up.
Postscript: You'll probably want to add the other two reviewers back now that I've approved. Sorry!
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 69897e2. Configure here.
|
|
zcahana
left a comment
There was a problem hiding this comment.
Thanks @kaitlynmichael. This documentation looks great.
I've made a partial review so far - I still have a couple of more pages to go through - but figured I'll already send the first batch of comments. I'll make sure to complete this soon.
|
|
||
| ## Related topics | ||
|
|
||
| - [Redis Software for Kubernetes operator API reference]({{< relref "/operate/kubernetes/reference/api" >}}) — field-by-field specification for every CRD in the `app.redislabs.com/v1alpha1` group. |
There was a problem hiding this comment.
These still don't include the RBAC CRDs reference; Just making sure that we'll have this available by the time of release.
There was a problem hiding this comment.
I'm waiting to run this workflow until we have a release candidate.
|
|
||
| ## Before you start | ||
|
|
||
| - Requires Redis Software for Kubernetes operator 8.0.24-TBD or later. |
There was a problem hiding this comment.
Do we have a mechanism (or a Jira) to un-TBD this?
There was a problem hiding this comment.
We will once I know the version number for Duckburg
| | `RedisEnterpriseRole` | `DBMember`, `DBViewer`, `None` | | ||
| | `RedisEnterpriseClusterRole` | `Admin`, `ClusterMember`, `ClusterViewer`, `DBMember`, `DBViewer`, `UserManager`, `None` | | ||
|
|
||
| `None` grants no management permissions and is the default when `managementRole` is omitted. For what each Redis Software role grants, see [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) and [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}). |
There was a problem hiding this comment.
The Database-scoped role definitions link is more about datapath-access to databases; It is not really about database-scoped management roles (new upcoming feature, also in RS). I'm not sure whether these already have docs... but if it does, then this should probably link to it.
There was a problem hiding this comment.
Another migration aspect (besides migrating from the deprecated rolesPermissions), is the use of "internal object references". See here for relevant information about this. Let's consider expanding the scope of this page to cover both migration aspects (and/or, maybe, mention in each of the role/binding pages?)

Note
Low Risk
Documentation-only changes (new pages, moved paths, relrefs); no application code or runtime behavior.
Overview
Adds Kubernetes-native RBAC documentation for Redis Software on Kubernetes: users, ACLs, database- and cluster-scoped roles, and role bindings as
app.redislabs.com/v1alpha1CRDs, plus a migration guide from deprecatedRedisEnterpriseDatabase.spec.rolesPermissions(includingallowREDBRolesPermissionson the REC).Reorganizes the security section into Access control, Authentication (
manage-rec-credentials, LDAP, SSO, configuration secrets), and Certificates and encryption (cert-manager, client certs, internode encryption). Moved pages keep Hugo aliases so old URLs still resolve; cross-links are updated across operate/kubernetes and the operate product comparison table.Reviewed by Cursor Bugbot for commit afd3434. Bugbot is set up for automated code reviews on this repo. Configure here.