fix: security hardening and documentation improvements by MaxRink · Pull Request #177 · telekom/auth-operator

MaxRink · 2026-03-05T16:39:41Z

Summary

Security hardening and documentation improvements. Closes #143, #158.

Changes

SEC-011: Error Message Sanitization

Replace raw error messages in CRD status conditions with generic text
Full errors remain in operator logs for administrators
Prevents leaking internal server details to non-privileged CRD consumers

SEC-013: HTTP/2 CVE Documentation

Add CVE-2023-44487 (HTTP/2 Rapid Reset) and CVE-2023-39325 rationale
comment to the --enable-http2 flag
Documents why HTTP/2 is disabled by default

Issue #143: AutomountServiceAccountToken Security Docs

Enhanced field description with explicit security implications
Added least-privilege guidance about disabling for workloads that do not need API access
Regenerated CRDs, docs, and Helm chart

SEC-012: Bypass Account Documentation

Verified bypass account hardcoding rationale is already comprehensively documented upstream with security justification

Testing

make fmt vet lint - 0 issues
make test - all tests pass with race detector
make manifests generate docs helm - no additional changes

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

internal/controller/authorization/roledefinition_helpers.go

cmd/webhook.go

internal/controller/authorization/roledefinition_helpers.go

github-actions · 2026-03-06T09:35:32Z

📊 Output Delta Report

Generated RBAC resources from config/samples/ compared across branches.

Prometheus Metrics (PR branch)

📈 auth_operator_* metrics

auth_operator_api_discovery_duration_seconds_bucket{le="+Inf"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.005"} 0
auth_operator_api_discovery_duration_seconds_bucket{le="0.01"} 0
auth_operator_api_discovery_duration_seconds_bucket{le="0.025"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.05"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.1"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.25"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.5"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="1"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="10"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="2.5"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="5"} 1
auth_operator_api_discovery_duration_seconds_count 1
auth_operator_api_discovery_duration_seconds_sum 0.01154566
auth_operator_api_discovery_errors_total 0
auth_operator_authorizer_active_rules 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-cluster-only"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-complex-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-default-ns-test"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-disjoint-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-generated-sa"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-missing-clusterrole"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-missing-role"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-mixed-refs"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-preexisting-sa"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-generated-sa-b"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-sa-consumer-a"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-sa-consumer-b"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-gitops-controllers"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-mixed-binding-types"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-monitoring-stack"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-namespace-only"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-overlapping-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-platform-admins"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-readonly-ui"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-security-auditors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-tenant-alpha-team"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-tenant-beta-team"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="RoleBinding"} 21
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="RoleBinding"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="ClusterRoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="RoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="RoleBinding"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="ServiceAccount"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="RoleBinding"} 24
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="ServiceAccount"} 5
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="RoleBinding"} 5
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="RoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="RoleBinding"} 14
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="RoleBinding"} 20
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="ClusterRoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="RoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="ServiceAccount"} 1
auth_operator_namespaces_active{binddefinition="bd-cluster-only"} 0
auth_operator_namespaces_active{binddefinition="bd-complex-selectors"} 7
auth_operator_namespaces_active{binddefinition="bd-default-ns-test"} 2
auth_operator_namespaces_active{binddefinition="bd-disjoint-selectors"} 6
auth_operator_namespaces_active{binddefinition="bd-edge-generated-sa"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-missing-clusterrole"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-missing-role"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-mixed-refs"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-preexisting-sa"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-generated-sa-b"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-shared-sa-consumer-a"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-sa-consumer-b"} 0
auth_operator_namespaces_active{binddefinition="bd-gitops-controllers"} 2
auth_operator_namespaces_active{binddefinition="bd-mixed-binding-types"} 6
auth_operator_namespaces_active{binddefinition="bd-monitoring-stack"} 2
auth_operator_namespaces_active{binddefinition="bd-namespace-only"} 2
auth_operator_namespaces_active{binddefinition="bd-overlapping-selectors"} 5
auth_operator_namespaces_active{binddefinition="bd-platform-admins"} 3
auth_operator_namespaces_active{binddefinition="bd-readonly-ui"} 1
auth_operator_namespaces_active{binddefinition="bd-security-auditors"} 7
auth_operator_namespaces_active{binddefinition="bd-tenant-alpha-team"} 4
auth_operator_namespaces_active{binddefinition="bd-tenant-beta-team"} 1
auth_operator_rbac_resources_applied_total{resource_type="ClusterRole"} 5
auth_operator_rbac_resources_applied_total{resource_type="ClusterRoleBinding"} 23
auth_operator_rbac_resources_applied_total{resource_type="Role"} 4
auth_operator_rbac_resources_applied_total{resource_type="RoleBinding"} 62
auth_operator_rbac_resources_applied_total{resource_type="ServiceAccount"} 20
auth_operator_rbac_resources_skipped_total{resource_type="ClusterRole"} 5
auth_operator_rbac_resources_skipped_total{resource_type="ClusterRoleBinding"} 40
auth_operator_rbac_resources_skipped_total{resource_type="Role"} 4
auth_operator_rbac_resources_skipped_total{resource_type="RoleBinding"} 123
auth_operator_rbac_resources_skipped_total{resource_type="ServiceAccount"} 27
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="+Inf"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.005"} 14
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.01"} 25
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.025"} 32
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.05"} 39
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.1"} 50
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.25"} 59
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.5"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="1"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="10"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="2.5"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="5"} 61
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="+Inf"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.005"} 75
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.01"} 92
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.025"} 128
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.05"} 133
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.1"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.25"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="1"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="10"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="2.5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="+Inf"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.005"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.01"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.025"} 3
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.05"} 7
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.1"} 13
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.25"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.5"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="1"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="10"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="2.5"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="5"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="+Inf"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.005"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.01"} 2
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.025"} 5
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.05"} 5
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.1"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.25"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="0.5"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="1"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="10"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="2.5"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="WebhookAuthorizer",le="5"} 6
auth_operator_reconcile_duration_seconds_count{controller="BindDefinition"} 61
auth_operator_reconcile_duration_seconds_count{controller="RoleBindingTerminator"} 135
auth_operator_reconcile_duration_seconds_count{controller="RoleDefinition"} 18
auth_operator_reconcile_duration_seconds_count{controller="WebhookAuthorizer"} 6
auth_operator_reconcile_duration_seconds_sum{controller="BindDefinition"} 3.318531904
auth_operator_reconcile_duration_seconds_sum{controller="RoleBindingTerminator"} 0.9768201209999997
auth_operator_reconcile_duration_seconds_sum{controller="RoleDefinition"} 1.2764743609999998
auth_operator_reconcile_duration_seconds_sum{controller="WebhookAuthorizer"} 0.123979127
auth_operator_reconcile_total{controller="BindDefinition",result="degraded"} 27
auth_operator_reconcile_total{controller="BindDefinition",result="success"} 34
auth_operator_reconcile_total{controller="RoleBindingTerminator",result="skipped"} 13
auth_operator_reconcile_total{controller="RoleBindingTerminator",result="success"} 122
auth_operator_reconcile_total{controller="RoleDefinition",result="success"} 18
auth_operator_reconcile_total{controller="WebhookAuthorizer",result="success"} 6
auth_operator_role_refs_missing{binddefinition="bd-cluster-only"} 1
auth_operator_role_refs_missing{binddefinition="bd-complex-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-default-ns-test"} 0
auth_operator_role_refs_missing{binddefinition="bd-disjoint-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-generated-sa"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-missing-clusterrole"} 1
auth_operator_role_refs_missing{binddefinition="bd-edge-missing-role"} 1
auth_operator_role_refs_missing{binddefinition="bd-edge-mixed-refs"} 3
auth_operator_role_refs_missing{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-preexisting-sa"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-generated-sa-b"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-sa-consumer-a"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-sa-consumer-b"} 1
auth_operator_role_refs_missing{binddefinition="bd-gitops-controllers"} 0
auth_operator_role_refs_missing{binddefinition="bd-mixed-binding-types"} 3
auth_operator_role_refs_missing{binddefinition="bd-monitoring-stack"} 0
auth_operator_role_refs_missing{binddefinition="bd-namespace-only"} 1
auth_operator_role_refs_missing{binddefinition="bd-overlapping-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-platform-admins"} 2
auth_operator_role_refs_missing{binddefinition="bd-readonly-ui"} 0
auth_operator_role_refs_missing{binddefinition="bd-security-auditors"} 2
auth_operator_role_refs_missing{binddefinition="bd-tenant-alpha-team"} 2
auth_operator_role_refs_missing{binddefinition="bd-tenant-beta-team"} 0
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-preexisting-sa"} 3
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-shared-sa-consumer-a"} 2
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-shared-sa-consumer-b"} 2
auth_operator_status_resources_skipped_total{resource_type="BindDefinition"} 33

⚠️ Controller Logs

Errors/Warnings Found in Logs (click to expand)

Error Summary from Controller Logs

Warning/Error Events (ALL)

default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    5m3s         1       bd-cluster-only.189b41d5568544da
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    5m3s         1       bd-cluster-only.189b41d55773525f
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    2m9s         1       bd-cluster-only.189b41fdf1733400
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    2m9s         1       bd-cluster-only.189b41fdf258a771
default                8s          Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    8s           1       bd-cluster-only.189b421a2ecc24d0
default                8s          Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                     BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    8s           1       bd-cluster-only.189b421a2f83745d
default                4m55s       Warning   Deletion                    binddefinition/bd-complex-selectors                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/complex-selector-test-view-binding in namespace tenant-alpha-prod                                                                                                                                                                                                       4m55s        2       bd-complex-selectors.189b41d743d4976f
default                2m1s        Warning   Deletion                    binddefinition/bd-complex-selectors                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/complex-selector-test-view-binding in namespace tenant-beta                                                                                                                                                                                                             2m1s         2       bd-complex-selectors.189b41ffdaf4e52f
default                4m55s       Warning   Deletion                    binddefinition/bd-default-ns-test                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/default-ns-test-view-binding in namespace default                                                                                                                                                                                                                       4m55s        2       bd-default-ns-test.189b41d7455a9406
default                2m1s        Warning   Deletion                    binddefinition/bd-default-ns-test                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/default-ns-test-view-binding in namespace default                                                                                                                                                                                                                       2m1s         2       bd-default-ns-test.189b41ffdd7f65e8
default                4m55s       Warning   Deletion                    binddefinition/bd-disjoint-selectors                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/disjoint-selector-test-view-binding in namespace flux-system                                                                                                                                                                                                            4m55s        2       bd-disjoint-selectors.189b41d7458b045a
default                2m1s        Warning   Deletion                    binddefinition/bd-disjoint-selectors                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/disjoint-selector-test-view-binding in namespace compliance-pci                                                                                                                                                                                                         2m1s         2       bd-disjoint-selectors.189b41ffdc1abada
default                4m55s       Warning   Deletion                    binddefinition/bd-edge-generated-sa                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/edge-generated-sa-edit-binding in namespace tenant-beta                                                                                                                                                                                                                 4m55s        1       bd-edge-generated-sa.189b41d747cbf45c
default                2m1s        Warning   Deletion                    binddefinition/bd-edge-generated-sa                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/edge-generated-sa-edit-binding in namespace tenant-beta                                                                                                                                                                                                                 2m1s         1       bd-edge-generated-sa.189b41ffe000e71c
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   5m3s         1       bd-edge-missing-clusterrole.189b41d5636709c2
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   5m3s         1       bd-edge-missing-clusterrole.189b41d567c8e3a4
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   2m9s         1       bd-edge-missing-clusterrole.189b41fdfc9f8680
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   2m9s         1       bd-edge-missing-clusterrole.189b41fe01844f9f
default                8s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   8s           1       bd-edge-missing-clusterrole.189b421a3880f105
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                         BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                   7s           1       bd-edge-missing-clusterrole.189b421a3a8cffaa
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     5m3s         2       bd-edge-missing-role.189b41d567abfa4c
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     5m3s         1       bd-edge-missing-role.189b41d569dd9dfc
default                4m55s       Warning   Deletion                    binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/edge-missing-role-nonexistent-role-binding in namespace tenant-alpha                                                                                                                                                                                                    4m55s        1       bd-edge-missing-role.189b41d748e895f3
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     2m9s         1       bd-edge-missing-role.189b41fe035e2b83
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     2m9s         1       bd-edge-missing-role.189b41fe067f6d29
default                2m1s        Warning   Deletion                    binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/edge-missing-role-nonexistent-role-binding in namespace tenant-alpha                                                                                                                                                                                                    2m1s         1       bd-edge-missing-role.189b41ffdea62b6e
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     7s           1       bd-edge-missing-role.189b421a3e9e9b0b
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                                BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                     7s           1       bd-edge-missing-role.189b421a3fb86bcd
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          5m3s         1       bd-edge-mixed-refs.189b41d5696393e8
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          5m3s         2       bd-edge-mixed-refs.189b41d56e28046b
default                4m55s       Warning   Deletion                    binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/edge-mixed-refs-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                  4m55s        2       bd-edge-mixed-refs.189b41d74d8c1c90
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          2m9s         2       bd-edge-mixed-refs.189b41fe050f31e0
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          2m9s         1       bd-edge-mixed-refs.189b41fe0dc1e2b9
default                2m1s        Warning   Deletion                    binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/edge-mixed-refs-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                  2m1s         2       bd-edge-mixed-refs.189b41ffe13389bb
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          7s           2       bd-edge-mixed-refs.189b421a3f4b4cb2
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                  BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                          7s           1       bd-edge-mixed-refs.189b421a443c6380
default                4m55s       Warning   Deletion                    binddefinition/bd-edge-shared-generated-sa-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/edge-shared-gen-b-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                4m55s        1       bd-edge-shared-generated-sa-b.189b41d74da152ac
default                2m1s        Warning   Deletion                    binddefinition/bd-edge-shared-generated-sa-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/edge-shared-gen-b-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                2m1s         1       bd-edge-shared-generated-sa-b.189b41ffe6569288
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    5m3s         2       bd-edge-shared-sa-consumer-b.189b41d56ecc887b
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    5m3s         1       bd-edge-shared-sa-consumer-b.189b41d574ba2351
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    2m9s         1       bd-edge-shared-sa-consumer-b.189b41fe09e18294
default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    2m8s         1       bd-edge-shared-sa-consumer-b.189b41fe0df8f00d
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    7s           1       bd-edge-shared-sa-consumer-b.189b421a448cf719
default                7s          Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                                    7s           1       bd-edge-shared-sa-consumer-b.189b421a47a2f0b1
default                4m55s       Warning   Deletion                    binddefinition/bd-gitops-controllers                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/gitops-controllers-admin-binding in namespace argocd                                                                                                                                                                                                                    4m55s        2       bd-gitops-controllers.189b41d760512cd4
default                2m          Warning   Deletion                    binddefinition/bd-gitops-controllers                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/gitops-controllers-admin-binding in namespace argocd                                                                                                                                                                                                                    2m           2       bd-gitops-controllers.189b41fffce25ee4
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         5m3s         1       bd-mixed-binding-types.189b41d5731173c8
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         5m3s         1       bd-mixed-binding-types.189b41d57e99c578
default                4m55s       Warning   Deletion                    binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/mixed-binding-test-view-binding in namespace default                                                                                                                                                                                                                    4m55s        2       bd-mixed-binding-types.189b41d751fef952
default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         2m8s         1       bd-mixed-binding-types.189b41fe0f5caa1f
default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         2m8s         2       bd-mixed-binding-types.189b41fe16972db1
default                2m          Warning   Deletion                    binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/mixed-binding-test-view-binding in namespace default                                                                                                                                                                                                                    2m1s         2       bd-mixed-binding-types.189b41ffe985e30f
default                7s          Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         7s           1       bd-mixed-binding-types.189b421a466b099d
default                7s          Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                         7s           2       bd-mixed-binding-types.189b421a4da4397f
default                4m55s       Warning   Deletion                    binddefinition/bd-monitoring-stack                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/monitoring-stack-view-binding in namespace t-caas-monitoring                                                                                                                                                                                                            4m55s        2       bd-monitoring-stack.189b41d76098e22a
default                2m          Warning   Deletion                    binddefinition/bd-monitoring-stack                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/monitoring-stack-view-binding in namespace t-caas-monitoring                                                                                                                                                                                                            2m           2       bd-monitoring-stack.189b41fffc3de840
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           5m3s         1       bd-namespace-only.189b41d5720ff38c
default                5m3s        Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           5m3s         1       bd-namespace-only.189b41d575e48d1f
default                4m55s       Warning   Deletion                    binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/namespace-only-access-t-caas-namespace-developer-binding in namespace tenant-alpha                                                                                                                                                                                      4m55s        2       bd-namespace-only.189b41d754a933cc
default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           2m8s         2       bd-namespace-only.189b41fe0f30a83d
default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           2m8s         1       bd-namespace-only.189b41fe12fb1323
default                2m          Warning   Deletion                    binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/namespace-only-access-t-caas-namespace-developer-binding in namespace tenant-alpha                                                                                                                                                                                      2m           2       bd-namespace-only.189b41ffeb60f429
default                7s          Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           7s           1       bd-namespace-only.189b421a48e78a49
default                7s          Warning   RoleRefNotFound             binddefinition/bd-namespace-only                                                                   BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-xtcrj          Referenced roles not found: [Role/tenant-alpha/t-caas-namespace-developer]. Bindings will be created but ineffective until roles exist. Will requeue with backoff.                                                                                                                                           7s           1       bd-namespace-only.189b421a4e150f3d
default                4m55s       Warning   Deletion                    binddefinition/bd-overlapping-selectors                                                            BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-xk6z8         Deleting target resource RoleBinding/overlapping-selector-test-view-binding in namespace tenant-alpha                                                                                                                                                                                                        4m55s        2       bd-overlapping-selectors.189b41d7546d8ace
default                2m          Warning   Deletion                    binddefinition/bd-overlapping-selectors                                                            BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-6wcnc         Deleting target resource RoleBinding/overlapping-selector-test-view-bindi
... (truncated, 131118 chars total — see uploaded artifacts for full diff)

Copilot

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

internal/controller/authorization/roledefinition_helpers.go

github-actions · 2026-03-06T19:13:51Z

📊 Output Delta Report (cont.)

📦 BindDefinitions Status

Changes from main

--- /tmp/main-output/binddefinitions-status.yaml	2026-03-09 19:07:48.035401215 +0000
+++ /tmp/pr-output/binddefinitions-status.yaml	2026-03-09 19:12:43.598580257 +0000
@@ -1389,17 +1389,13 @@
           reason: Reconciled
           status: "True"
           type: Ready
-        - message: 'Missing role references: [ClusterRole/t-caas-platform-admin-reader ClusterRole/t-caas-security-auditor Role/tenant-beta/t-caas-namespace-viewer]'
+        - message: All referenced roles exist
           observedGeneration: 1
-          reason: RoleRefNotFound
-          status: "False"
+          reason: RoleRefValidation
+          status: "True"
           type: RoleRefsValid
       generatedServiceAccounts:
         - kind: ServiceAccount
           name: beta-automation
           namespace: tenant-beta
-      missingRoleRefs:
-        - ClusterRole/t-caas-platform-admin-reader
-        - ClusterRole/t-caas-security-auditor
-        - Role/tenant-beta/t-caas-namespace-viewer
 kind: List

Copilot

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated no new comments.

Address security and documentation items from issues #143 and #158. Closes #143. Closes #158. - SEC-011: Sanitize error messages in CRD status conditions to avoid leaking internal details. Log full errors for operator admins. - SEC-012: Document bypass account hardcoding rationale (already comprehensively documented in upstream, verified complete). - SEC-013: Add CVE-2023-44487 and CVE-2023-39325 rationale comment to the --enable-http2 flag explaining why HTTP/2 is disabled. - Update AutomountServiceAccountToken field description with security implications and least-privilege guidance. - Regenerate CRDs, docs, and Helm chart after types change.

Call sites already log the error at Error level before calling markStalled. Log at V(1) debug level instead to maintain observability without noise.

Copilot

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

internal/controller/authorization/roledefinition_helpers.go

- Replace raw err.Error() with sanitized message in BindDefinition and WebhookAuthorizer markStalled to prevent internal error leakage - Simplify RoleDefinition markStalled message to avoid redundant prefix - Add debug-level error logging in all markStalled functions - Update tests to match new sanitized messages

Copilot

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings March 5, 2026 16:39

MaxRink requested a review from a team as a code owner March 5, 2026 16:39

Copilot AI reviewed Mar 5, 2026

View reviewed changes

MaxRink requested a review from Copilot March 5, 2026 17:32

Copilot AI reviewed Mar 5, 2026

View reviewed changes

MaxRink requested a review from Copilot March 5, 2026 18:52

Copilot AI reviewed Mar 5, 2026

View reviewed changes

MaxRink requested a review from Copilot March 6, 2026 08:34

Copilot started reviewing on behalf of MaxRink March 6, 2026 08:34 View session

Copilot AI reviewed Mar 6, 2026

View reviewed changes

internal/controller/authorization/roledefinition_helpers.go Show resolved Hide resolved

cmd/webhook.go Outdated Show resolved Hide resolved

internal/controller/authorization/roledefinition_helpers.go Outdated Show resolved Hide resolved

MaxRink force-pushed the fix/security-hardening-docs branch from 437c534 to 1578abb Compare March 6, 2026 09:26

github-actions bot added documentation Improvements or additions to documentation api controller helm tests config size/S labels Mar 6, 2026

MaxRink requested a review from Copilot March 6, 2026 14:05

Copilot started reviewing on behalf of MaxRink March 6, 2026 14:05 View session

Copilot AI reviewed Mar 6, 2026

View reviewed changes

internal/controller/authorization/roledefinition_helpers.go Outdated Show resolved Hide resolved

Copilot AI review requested due to automatic review settings March 8, 2026 13:33

github-actions bot added the dependencies label Mar 8, 2026

Copilot started reviewing on behalf of MaxRink March 8, 2026 13:34 View session

Copilot AI reviewed Mar 8, 2026

View reviewed changes

MaxRink force-pushed the fix/security-hardening-docs branch from 88148ba to 718e201 Compare March 9, 2026 15:48

MaxRink added 2 commits March 9, 2026 18:28

fix: downgrade markStalled log to debug level to avoid double-logging

20ff088

Call sites already log the error at Error level before calling markStalled. Log at V(1) debug level instead to maintain observability without noise.

Copilot AI review requested due to automatic review settings March 9, 2026 17:28

MaxRink force-pushed the fix/security-hardening-docs branch from 718e201 to 20ff088 Compare March 9, 2026 17:28

Copilot started reviewing on behalf of MaxRink March 9, 2026 17:28 View session

Copilot AI reviewed Mar 9, 2026

View reviewed changes

internal/controller/authorization/roledefinition_helpers.go Outdated Show resolved Hide resolved

internal/controller/authorization/roledefinition_helpers.go Outdated Show resolved Hide resolved

MaxRink requested a review from Copilot March 9, 2026 19:26

Copilot started reviewing on behalf of MaxRink March 9, 2026 19:27 View session

Copilot AI reviewed Mar 9, 2026

View reviewed changes

MaxRink requested a review from Copilot March 9, 2026 21:40

Copilot started reviewing on behalf of MaxRink March 9, 2026 21:40 View session

Copilot AI reviewed Mar 9, 2026

View reviewed changes

MaxRink merged commit 4cfabd1 into main Mar 9, 2026
50 checks passed

Conversation

MaxRink commented Mar 5, 2026

Summary

Changes

SEC-011: Error Message Sanitization

SEC-013: HTTP/2 CVE Documentation

Issue #143: AutomountServiceAccountToken Security Docs

SEC-012: Bypass Account Documentation

Testing

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📊 Output Delta Report

Prometheus Metrics (PR branch)

⚠️ Controller Logs

Error Summary from Controller Logs

Warning/Error Events (ALL)

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

github-actions bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📊 Output Delta Report (cont.)

📦 BindDefinitions Status

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

github-actions bot commented Mar 6, 2026 •

edited

Loading

github-actions bot commented Mar 6, 2026 •

edited

Loading