trusted-execution-clusters · alicefr · Jan 9, 2026 · Jan 5, 2026
diff --git a/.gitignore b/.gitignore
@@ -10,7 +10,7 @@ trusted-cluster-gen
 /bin
 /config/crd
 /config/deploy
-/config/rbac/role.yaml
+/config/rbac/base/role.yaml
 /lib/src/kopium
 /target
 bundle/manifests/

diff --git a/Makefile b/Makefile
@@ -6,6 +6,7 @@
 .PHONY: all build build-tools crds-rs generate manifests cluster-up cluster-down image push install-trustee install clean fmt-check clippy lint test test-release release-tarball
 
 NAMESPACE ?= trusted-execution-clusters
+PLATFORM ?= kind
 
 KUBECTL=kubectl
 
@@ -41,10 +42,12 @@ reg-server: crds-rs
 	cargo build -p register-server
 
 CRD_YAML_PATH = config/crd
+RBAC_YAML_PATH = config/rbac/base
 API_PATH = api/v1alpha1
 generate: $(CONTROLLER_GEN)
 	$(CONTROLLER_GEN) rbac:roleName=trusted-cluster-operator-role crd webhook paths="./..." \
-		output:crd:artifacts:config=$(CRD_YAML_PATH)
+		output:crd:artifacts:config=$(CRD_YAML_PATH) \
+		output:rbac:artifacts:config=$(RBAC_YAML_PATH)
 
 RS_LIB_PATH = lib/src
 CRD_RS_PATH = $(RS_LIB_PATH)/kopium
@@ -132,10 +135,15 @@ endif
 	scripts/clean-cluster-kind.sh $(OPERATOR_IMAGE) $(COMPUTE_PCRS_IMAGE) $(REG_SERVER_IMAGE)
 	$(YQ) '.spec.publicTrusteeAddr = "$(TRUSTEE_ADDR):8080"' \
 		-i $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml
-	$(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/kustomization.yaml
+	$(YQ) '.namespace = "$(NAMESPACE)"' -i config/rbac/base/kustomization.yaml
+	$(YQ) '.patches[0].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-manager-rolebinding"' -i config/rbac/base/kustomization.yaml
+	$(YQ) '.patches[1].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-metrics-auth-rolebinding"' -i config/rbac/base/kustomization.yaml
+	@if [ "$(PLATFORM)" = "openshift" ]; then \
+		$(YQ) '.patches[0].patch = "- op: replace\n  path: /metadata/name\n  value: $(NAMESPACE)-trusted-cluster-scc\n- op: replace\n  path: /users/0\n  value: system:serviceaccount:$(NAMESPACE):trusted-cluster-operator"' -i config/rbac/overlays/openshift/kustomization.yaml; \
+	fi
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/operator.yaml
 	$(KUBECTL) apply -f config/crd
-	$(KUBECTL) apply -k config/rbac
+	$(KUBECTL) apply -k config/rbac/overlays/$(PLATFORM)
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/trusted_execution_cluster_cr.yaml
 	$(KUBECTL) apply -f $(DEPLOY_PATH)/approved_image_cr.yaml
 	$(KUBECTL) apply -f kind/register-forward.yaml
@@ -147,7 +155,7 @@ install-kubevirt:
 clean:
 	cargo clean
 	rm -rf bin manifests $(CRD_YAML_PATH) $(CRD_RS_PATH)
-	rm -f trusted-cluster-gen config/rbac/role.yaml .crates.toml .crates2.json
+	rm -f trusted-cluster-gen config/rbac/base/role.yaml .crates.toml .crates2.json
 
 fmt-check:
 	cargo fmt -- --check

diff --git a/api/v1alpha1/crds.go b/api/v1alpha1/crds.go
@@ -25,16 +25,13 @@ var (
 	AddToScheme = SchemeBuilder.AddToScheme
 )
 
-// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;patch;update
-// +kubebuilder:rbac:groups="",resources=services,verbs=create
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=create
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update
-// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;list;watch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters,verbs=list;watch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status,verbs=patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines,verbs=create;list;delete;watch;patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages,verbs=get;list;watch;patch
-// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=approvedimages/status,verbs=patch
+// +kubebuilder:rbac:groups="",resources=configmaps;services;secrets,verbs=create;get;list;watch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters;machines;approvedimages,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/finalizers,verbs=update
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=machines/finalizers,verbs=update
+// +kubebuilder:rbac:groups=trusted-execution-clusters.io,resources=trustedexecutionclusters/status;machines/status;approvedimages/status,verbs=get;patch;update
 
 // TrustedExecutionClusterSpec defines the desired state of TrustedExecutionCluster
 // +kubebuilder:validation:XValidation:rule="!has(oldSelf.publicTrusteeAddr) || has(self.publicTrusteeAddr)", message="Value is required once set"

diff --git a/config/rbac/approvedimage_admin_role.yaml → ...g/rbac/base/approvedimage_admin_role.yaml b/config/rbac/approvedimage_admin_role.yaml → ...g/rbac/base/approvedimage_admin_role.yaml
diff --git a/config/rbac/approvedimage_viewer_role.yaml → .../rbac/base/approvedimage_viewer_role.yaml b/config/rbac/approvedimage_viewer_role.yaml → .../rbac/base/approvedimage_viewer_role.yaml
diff --git a/config/rbac/kustomization.yaml → config/rbac/base/kustomization.yaml b/config/rbac/kustomization.yaml → config/rbac/base/kustomization.yaml
@@ -3,6 +3,21 @@
 # SPDX-License-Identifier: CC0-1.0
 
 namespace: trusted-execution-clusters
+patches:
+  - target:
+      kind: ClusterRoleBinding
+      name: manager-rolebinding
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: NAMESPACE-manager-rolebinding
+  - target:
+      kind: ClusterRoleBinding
+      name: metrics-auth-rolebinding
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: NAMESPACE-metrics-auth-rolebinding
 resources:
   # All RBAC will be applied under this service account in
   # the deployment namespace. You may comment out this resource

diff --git a/config/rbac/leader_election_role.yaml → config/rbac/base/leader_election_role.yaml b/config/rbac/leader_election_role.yaml → config/rbac/base/leader_election_role.yaml
diff --git a/...ig/rbac/leader_election_role_binding.yaml → ...ac/base/leader_election_role_binding.yaml b/...ig/rbac/leader_election_role_binding.yaml → ...ac/base/leader_election_role_binding.yaml
diff --git a/config/rbac/machine_admin_role.yaml → config/rbac/base/machine_admin_role.yaml b/config/rbac/machine_admin_role.yaml → config/rbac/base/machine_admin_role.yaml
diff --git a/config/rbac/machine_viewer_role.yaml → config/rbac/base/machine_viewer_role.yaml b/config/rbac/machine_viewer_role.yaml → config/rbac/base/machine_viewer_role.yaml
diff --git a/config/rbac/metrics_auth_role.yaml → config/rbac/base/metrics_auth_role.yaml b/config/rbac/metrics_auth_role.yaml → config/rbac/base/metrics_auth_role.yaml
diff --git a/config/rbac/metrics_auth_role_binding.yaml → .../rbac/base/metrics_auth_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml → .../rbac/base/metrics_auth_role_binding.yaml
diff --git a/config/rbac/metrics_reader_role.yaml → config/rbac/base/metrics_reader_role.yaml b/config/rbac/metrics_reader_role.yaml → config/rbac/base/metrics_reader_role.yaml
diff --git a/config/rbac/role_binding.yaml → config/rbac/base/role_binding.yaml b/config/rbac/role_binding.yaml → config/rbac/base/role_binding.yaml
diff --git a/config/rbac/service_account.yaml → config/rbac/base/service_account.yaml b/config/rbac/service_account.yaml → config/rbac/base/service_account.yaml
diff --git a/...c/trustedexecutioncluster_admin_role.yaml → ...e/trustedexecutioncluster_admin_role.yaml b/...c/trustedexecutioncluster_admin_role.yaml → ...e/trustedexecutioncluster_admin_role.yaml
diff --git a/.../trustedexecutioncluster_editor_role.yaml → .../trustedexecutioncluster_editor_role.yaml b/.../trustedexecutioncluster_editor_role.yaml → .../trustedexecutioncluster_editor_role.yaml
diff --git a/.../trustedexecutioncluster_viewer_role.yaml → .../trustedexecutioncluster_viewer_role.yaml b/.../trustedexecutioncluster_viewer_role.yaml → .../trustedexecutioncluster_viewer_role.yaml
diff --git a/config/rbac/overlays/kind/kustomization.yaml b/config/rbac/overlays/kind/kustomization.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: Yalan Zhang <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Kustomize overlay for Kind clusters
+# This uses the base RBAC configuration without OpenShift-specific resources
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/config/rbac/overlays/openshift/kustomization.yaml b/config/rbac/overlays/openshift/kustomization.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: Yalan Zhang <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Kustomize overlay for OpenShift clusters
+# This extends the base RBAC configuration with OpenShift-specific resources
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+  - scc.yaml
+
+patches:
+  - target:
+      kind: SecurityContextConstraints
+      name: trusted-cluster-scc
+    patch: |-
+      - op: replace
+        path: /metadata/name
+        value: NAMESPACE-trusted-cluster-scc
+      - op: replace
+        path: /users/0
+        value: system:serviceaccount:NAMESPACE:trusted-cluster-operator
diff --git a/config/rbac/overlays/openshift/scc.yaml b/config/rbac/overlays/openshift/scc.yaml
@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: Yalan Zhang <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: trusted-cluster-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowPrivilegeEscalation: false
+allowedCapabilities: []
+defaultAddCapabilities: []
+fsGroup:
+  type: RunAsAny
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- image
+- projected
+- secret
+users:
+- system:serviceaccount:trusted-execution-clusters:trusted-cluster-operator
diff --git a/test_utils/src/lib.rs b/test_utils/src/lib.rs
@@ -353,7 +353,7 @@ impl TestContext {
 
         test_info!(&self.test_name, "Preparing RBAC manifests");
 
-        let sa_src = workspace_root.join("config/rbac/service_account.yaml");
+        let sa_src = workspace_root.join("config/rbac/base/service_account.yaml");
         let sa_content = std::fs::read_to_string(&sa_src)?
             .replace("namespace: system", &format!("namespace: {}", ns));
         let sa_dst = rbac_temp_dir.join("service_account.yaml");
@@ -366,7 +366,7 @@ impl TestContext {
         );
         std::fs::write(&role_path, role_content)?;
 
-        let rb_src = workspace_root.join("config/rbac/role_binding.yaml");
+        let rb_src = workspace_root.join("config/rbac/base/role_binding.yaml");
         let rb_content = std::fs::read_to_string(&rb_src)?
             .replace(
                 "name: manager-rolebinding",
@@ -380,13 +380,13 @@ impl TestContext {
         let rb_dst = rbac_temp_dir.join("role_binding.yaml");
         std::fs::write(&rb_dst, rb_content)?;
 
-        let le_role_src = workspace_root.join("config/rbac/leader_election_role.yaml");
+        let le_role_src = workspace_root.join("config/rbac/base/leader_election_role.yaml");
         let le_role_content = std::fs::read_to_string(&le_role_src)?
             .replace("namespace: system", &format!("namespace: {}", ns));
         let le_role_dst = rbac_temp_dir.join("leader_election_role.yaml");
         std::fs::write(&le_role_dst, le_role_content)?;
 
-        let le_rb_src = workspace_root.join("config/rbac/leader_election_role_binding.yaml");
+        let le_rb_src = workspace_root.join("config/rbac/base/leader_election_role_binding.yaml");
         let le_rb_content = std::fs::read_to_string(&le_rb_src)?
             .replace("namespace: system", &format!("namespace: {}", ns));
         let le_rb_dst = rbac_temp_dir.join("leader_election_role_binding.yaml");