rbac-permissions-operator
by
openshift

Description: Operator to manage RBAC permissions for groups across subsets of namespaces

View on GitHub ↗

Summary Information

Updated 1 hour ago
Added to GitGenius on March 7th, 2026
Created on June 14th, 2019
Open Issues & Pull Requests: 6 (+0)
Number of forks: 67
Total Stargazers: 35 (+0)
Total Subscribers: 36 (+0)

Issue Activity (beta)

Open issues: 1
New in 7 days: 0
Closed in 7 days: 0
Avg open age: 314 days
Stale 30+ days: 0
Stale 90+ days: 0

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

No label distribution available yet.

Most active issues this week

No issue events were indexed in the last 7 days.

Detailed Description

The RBAC Permissions Operator is a Kubernetes operator written in Go that manages role-based access control policies across OpenShift Dedicated clusters. Created specifically for the OpenShift Dedicated platform, it automates the assignment of RBAC permissions to groups across multiple namespaces while providing fine-grained control over which namespaces receive specific role bindings.

The operator addresses a critical operational need in multi-tenant Kubernetes environments where administrators must grant permissions at both cluster and namespace scopes while preventing accidental or intentional privilege escalation to sensitive infrastructure namespaces. Rather than manually managing RoleBindings and ClusterRoleBindings across dozens or hundreds of namespaces, the operator watches for namespace creation and permission changes, automatically creating and maintaining the appropriate bindings based on defined policies.

The operator consists of two primary controllers working in tandem. The Namespace Controller monitors the creation of new namespaces and automatically assigns RoleBindings to those that match specified criteria. The SubjectPermission Controller responds to changes in SubjectPermission custom resources, creating both ClusterRoleBindings and RoleBindings as needed. This dual-controller approach ensures that permissions remain synchronized whether changes originate from new namespace creation or from explicit permission policy updates.

A key security feature of the operator is its implementation of namespace filtering through two regex patterns: NamespacesAllowedRegex and NamespacesDeniedRegex. These patterns allow operators to maintain a safe list and blocklist of namespaces, preventing the operator from accidentally granting permissions to critical infrastructure namespaces or cluster-admin related projects. This design prevents common misconfigurations that could compromise cluster security.

The operator uses SubjectPermission custom resources as its primary configuration mechanism. These resources specify the subject kind, subject name, cluster-level permissions, and namespace-scoped permissions needed for any given subject. Configuration examples and production deployments are maintained in the managed-cluster-config repository, allowing operators to version control and review permission policies alongside other cluster configurations.

According to GitGenius activity analysis, the repository maintains active development with regular issue and pull request activity, indicating ongoing maintenance and feature development. The codebase shares contributors with related OpenShift operators including certman-operator and cloud-ingress-operator, suggesting a collaborative development community focused on OpenShift platform reliability and security.

The operator supports local testing through CodeReady Containers, with a documented workflow that allows developers to validate changes before deployment. The testing process involves starting CRC, running predeploy steps, deploying locally, and applying custom resources to verify behavior. This emphasis on local testing capability reflects a commitment to developer experience and rapid iteration.

The operator is classified within the RBAC, Permissions, Access Control, and Security domains, positioning it as a critical component of OpenShift cluster management and authorization infrastructure. By automating RBAC policy enforcement at scale, the operator reduces manual configuration errors, improves consistency across namespaces, and enables teams to manage complex permission hierarchies more effectively in large OpenShift Dedicated deployments.

rbac-permissions-operator
by
openshiftopenshift/rbac-permissions-operator

Repository Details

Fetching additional details & charts...