Add disableWorkloadRBAC flag to skip per-workload RBAC creation

Some K8s platform teams reject the operator because its ClusterRole
includes roles/rolebindings permissions for dynamic RBAC creation.
This adds an opt-in DISABLE_WORKLOAD_RBAC env var (exposed via
operator.rbac.disableWorkloadRBAC Helm value) so the operator skips
per-workload ServiceAccount, Role, and RoleBinding creation.

When enabled:
- All controller ensureRBACResources() methods return nil immediately
- ClusterRole omits roles/rolebindings rules and SA write verbs
- Registry API ClusterRole/ClusterRoleBinding are not rendered
- Users must pre-create RBAC resources externally

Default behavior (false) is unchanged.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

cmd/thv-operator/controllers/mcpregistry_controller.go

@@ -47,8 +47,8 @@ type MCPRegistryReconciler struct {
 }
 
 // NewMCPRegistryReconciler creates a new MCPRegistryReconciler with required dependencies
-func NewMCPRegistryReconciler(k8sClient client.Client, scheme *runtime.Scheme) *MCPRegistryReconciler {
-	registryAPIManager := registryapi.NewManager(k8sClient, scheme)
+func NewMCPRegistryReconciler(k8sClient client.Client, scheme *runtime.Scheme, disableWorkloadRBAC bool) *MCPRegistryReconciler {
+	registryAPIManager := registryapi.NewManager(k8sClient, scheme, disableWorkloadRBAC)
 	return &MCPRegistryReconciler{
 		Client:             k8sClient,
 		Scheme:             scheme,

cmd/thv-operator/controllers/mcpremoteproxy_controller.go

@@ -37,9 +37,10 @@ import (
 // MCPRemoteProxyReconciler reconciles a MCPRemoteProxy object
 type MCPRemoteProxyReconciler struct {
 	client.Client
-	Scheme           *runtime.Scheme
-	Recorder         record.EventRecorder
-	PlatformDetector *ctrlutil.SharedPlatformDetector
+	Scheme              *runtime.Scheme
+	Recorder            record.EventRecorder
+	PlatformDetector    *ctrlutil.SharedPlatformDetector
+	DisableWorkloadRBAC bool
 }
 
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpremoteproxies,verbs=get;list;watch;create;update;patch;delete
@@ -584,6 +585,10 @@ func (r *MCPRemoteProxyReconciler) validateGroupRef(ctx context.Context, proxy *
 // Uses the RBAC client (pkg/kubernetes/rbac) which creates or updates RBAC resources
 // automatically during operator upgrades.
 func (r *MCPRemoteProxyReconciler) ensureRBACResources(ctx context.Context, proxy *mcpv1alpha1.MCPRemoteProxy) error {
+	if r.DisableWorkloadRBAC {
+		return nil
+	}
+
 	// If a service account is specified, we don't need to create one
 	if proxy.Spec.ServiceAccount != nil {
 		return nil

cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go

@@ -1099,6 +1099,50 @@ func TestMCPRemoteProxyEnsureRBACResources_CustomServiceAccount(t *testing.T) {
 	assert.Error(t, err, "RoleBinding should not be created when custom ServiceAccount is provided")
 }
 
+// TestEnsureRBACResources_DisableWorkloadRBAC_MCPRemoteProxy tests that RBAC creation is skipped
+// when DisableWorkloadRBAC is true.
+func TestEnsureRBACResources_DisableWorkloadRBAC_MCPRemoteProxy(t *testing.T) {
+	t.Parallel()
+
+	proxy := &mcpv1alpha1.MCPRemoteProxy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-proxy-disable-rbac",
+			Namespace: "default",
+		},
+		Spec: mcpv1alpha1.MCPRemoteProxySpec{
+			RemoteURL: "https://mcp.example.com",
+			Port:      8080,
+		},
+	}
+
+	testScheme := createRunConfigTestScheme()
+	_ = rbacv1.AddToScheme(testScheme)
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(testScheme).
+		WithRuntimeObjects(proxy).
+		Build()
+
+	reconciler := &MCPRemoteProxyReconciler{
+		Client:              fakeClient,
+		Scheme:              testScheme,
+		DisableWorkloadRBAC: true,
+	}
+
+	err := reconciler.ensureRBACResources(t.Context(), proxy)
+	require.NoError(t, err)
+
+	// Verify NO RBAC resources were created
+	generatedSAName := proxyRunnerServiceAccountNameForRemoteProxy(proxy.Name)
+
+	sa := &corev1.ServiceAccount{}
+	err = fakeClient.Get(t.Context(), types.NamespacedName{
+		Name:      generatedSAName,
+		Namespace: proxy.Namespace,
+	}, sa)
+	assert.Error(t, err, "ServiceAccount should not be created when workload RBAC is disabled")
+}
+
 // TestUpdateMCPRemoteProxyStatus tests status update logic
 func TestUpdateMCPRemoteProxyStatus(t *testing.T) {
 	t.Parallel()

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -46,10 +46,11 @@ import (
 // MCPServerReconciler reconciles a MCPServer object
 type MCPServerReconciler struct {
 	client.Client
-	Scheme           *runtime.Scheme
-	Recorder         record.EventRecorder
-	PlatformDetector *ctrlutil.SharedPlatformDetector
-	ImageValidation  validation.ImageValidation
+	Scheme              *runtime.Scheme
+	Recorder            record.EventRecorder
+	PlatformDetector    *ctrlutil.SharedPlatformDetector
+	ImageValidation     validation.ImageValidation
+	DisableWorkloadRBAC bool
 }
 
 // defaultRBACRules are the default RBAC rules that the
@@ -884,7 +885,12 @@ func (r *MCPServerReconciler) handleToolConfig(ctx context.Context, m *mcpv1alph
 
 	return nil
 }
+
 func (r *MCPServerReconciler) ensureRBACResources(ctx context.Context, mcpServer *mcpv1alpha1.MCPServer) error {
+	if r.DisableWorkloadRBAC {
+		return nil
+	}
+
 	rbacClient := rbac.NewClient(r.Client, r.Scheme)
 	proxyRunnerNameForRBAC := ctrlutil.ProxyRunnerServiceAccountName(mcpServer.Name)
 

cmd/thv-operator/controllers/mcpserver_rbac_test.go

@@ -424,6 +424,23 @@ func TestEnsureRBACResources_ImagePullSecrets(t *testing.T) {
 	assert.Equal(t, expectedSecrets, mcpServerSA.ImagePullSecrets)
 }
 
+func TestEnsureRBACResources_DisableWorkloadRBAC(t *testing.T) {
+	t.Parallel()
+	tc := setupTest("test-server-disable-rbac", "default")
+	tc.reconciler.DisableWorkloadRBAC = true
+
+	err := tc.ensureRBACResources()
+	require.NoError(t, err)
+
+	// Verify NO RBAC resources were created
+	sa := &corev1.ServiceAccount{}
+	err = tc.client.Get(t.Context(), types.NamespacedName{
+		Name:      tc.proxyRunnerNameForRBAC,
+		Namespace: tc.mcpServer.Namespace,
+	}, sa)
+	assert.Error(t, err, "ServiceAccount should not be created when workload RBAC is disabled")
+}
+
 func createTestMCPServer(name, namespace string) *mcpv1alpha1.MCPServer {
 	return &mcpv1alpha1.MCPServer{
 		ObjectMeta: metav1.ObjectMeta{

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -83,9 +83,10 @@ type AuthConfigError struct {
 // may not have owner references (StatefulSet, headless Service, RunConfig ConfigMap).
 type VirtualMCPServerReconciler struct {
 	client.Client
-	Scheme           *runtime.Scheme
-	Recorder         record.EventRecorder
-	PlatformDetector *ctrlutil.SharedPlatformDetector
+	Scheme              *runtime.Scheme
+	Recorder            record.EventRecorder
+	PlatformDetector    *ctrlutil.SharedPlatformDetector
+	DisableWorkloadRBAC bool
 }
 
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=virtualmcpservers,verbs=get;list;watch;create;update;patch;delete
@@ -630,6 +631,10 @@ func (r *VirtualMCPServerReconciler) ensureRBACResources(
 	ctx context.Context,
 	vmcp *mcpv1alpha1.VirtualMCPServer,
 ) error {
+	if r.DisableWorkloadRBAC {
+		return nil
+	}
+
 	// If a service account is specified, we don't need to create one
 	if vmcp.Spec.ServiceAccount != nil {
 		return nil

cmd/thv-operator/controllers/virtualmcpserver_controller_test.go

@@ -630,6 +630,52 @@ func TestVirtualMCPServerEnsureRBACResources_CustomServiceAccount(t *testing.T)
 	assert.Error(t, err, "RoleBinding should not be created when custom ServiceAccount is provided")
 }
 
+// TestVirtualMCPServerEnsureRBACResources_DisableWorkloadRBAC tests that RBAC creation is skipped
+// when DisableWorkloadRBAC is true.
+func TestVirtualMCPServerEnsureRBACResources_DisableWorkloadRBAC(t *testing.T) {
+	t.Parallel()
+
+	vmcp := &mcpv1alpha1.VirtualMCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-vmcp-disable-rbac",
+			Namespace: "default",
+			UID:       "test-uid",
+		},
+		Spec: mcpv1alpha1.VirtualMCPServerSpec{
+			Config: vmcpconfig.Config{Group: testGroupName},
+		},
+	}
+
+	scheme := runtime.NewScheme()
+	_ = mcpv1alpha1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+	_ = rbacv1.AddToScheme(scheme)
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithObjects(vmcp).
+		Build()
+
+	r := &VirtualMCPServerReconciler{
+		Client:              fakeClient,
+		Scheme:              scheme,
+		DisableWorkloadRBAC: true,
+	}
+
+	err := r.ensureRBACResources(t.Context(), vmcp)
+	require.NoError(t, err)
+
+	// Verify NO RBAC resources were created
+	generatedSAName := vmcpServiceAccountName(vmcp.Name)
+
+	sa := &corev1.ServiceAccount{}
+	err = fakeClient.Get(t.Context(), types.NamespacedName{
+		Name:      generatedSAName,
+		Namespace: vmcp.Namespace,
+	}, sa)
+	assert.Error(t, err, "ServiceAccount should not be created when workload RBAC is disabled")
+}
+
 // TestVirtualMCPServerEnsureDeployment tests Deployment creation
 func TestVirtualMCPServerEnsureDeployment(t *testing.T) {
 	t.Parallel()

cmd/thv-operator/main.go

@@ -46,6 +46,10 @@ const (
 	featureServer   = "ENABLE_SERVER"
 	featureRegistry = "ENABLE_REGISTRY"
 	featureVMCP     = "ENABLE_VMCP"
+	// disableWorkloadRBAC disables per-workload RBAC management (ServiceAccount, Role, RoleBinding).
+	// When enabled, the operator will not create RBAC resources for workloads,
+	// allowing them to be managed externally (e.g., via per-workload Helm charts).
+	disableWorkloadRBAC = "DISABLE_WORKLOAD_RBAC"
 )
 
 // controllerDependencies maps each controller group to its required dependencies
@@ -131,6 +135,11 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 	enableServer := isFeatureEnabled(featureServer, true)
 	enableRegistry := isFeatureEnabled(featureRegistry, true)
 	enableVMCP := isFeatureEnabled(featureVMCP, true)
+	workloadRBACDisabled := isFeatureEnabled(disableWorkloadRBAC, false)
+
+	if workloadRBACDisabled {
+		setupLog.Info("DISABLE_WORKLOAD_RBAC is enabled, operator will not create per-workload RBAC resources")
+	}
 
 	// Track enabled features for dependency checking
 	enabledFeatures := map[string]bool{
@@ -159,7 +168,7 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 
 	// Set up server-related controllers
 	if enabledFeatures[featureServer] {
-		if err := setupServerControllers(mgr, enableRegistry); err != nil {
+		if err := setupServerControllers(mgr, enableRegistry, workloadRBACDisabled); err != nil {
 			return err
 		}
 	} else {
@@ -168,7 +177,7 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 
 	// Set up registry controller
 	if enabledFeatures[featureRegistry] {
-		if err := setupRegistryController(mgr); err != nil {
+		if err := setupRegistryController(mgr, workloadRBACDisabled); err != nil {
 			return err
 		}
 	} else {
@@ -177,7 +186,7 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 
 	// Set up Virtual MCP controllers and webhooks
 	if enabledFeatures[featureVMCP] {
-		if err := setupAggregationControllers(mgr); err != nil {
+		if err := setupAggregationControllers(mgr, workloadRBACDisabled); err != nil {
 			return err
 		}
 	} else {
@@ -189,7 +198,7 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 }
 
 // setupServerControllers sets up server-related controllers (MCPServer, MCPExternalAuthConfig, MCPRemoteProxy, ToolConfig)
-func setupServerControllers(mgr ctrl.Manager, enableRegistry bool) error {
+func setupServerControllers(mgr ctrl.Manager, enableRegistry, disableWorkloadRBAC bool) error {
 	// Set up field indexing for MCPServer.Spec.GroupRef
 	if err := mgr.GetFieldIndexer().IndexField(
 		context.Background(),
@@ -232,11 +241,12 @@ func setupServerControllers(mgr ctrl.Manager, enableRegistry bool) error {
 
 	// Set up MCPServer controller
 	rec := &controllers.MCPServerReconciler{
-		Client:           mgr.GetClient(),
-		Scheme:           mgr.GetScheme(),
-		Recorder:         mgr.GetEventRecorderFor("mcpserver-controller"),
-		PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
-		ImageValidation:  imageValidation,
+		Client:              mgr.GetClient(),
+		Scheme:              mgr.GetScheme(),
+		Recorder:            mgr.GetEventRecorderFor("mcpserver-controller"),
+		PlatformDetector:    ctrlutil.NewSharedPlatformDetector(),
+		ImageValidation:     imageValidation,
+		DisableWorkloadRBAC: disableWorkloadRBAC,
 	}
 	if err := rec.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPServer: %w", err)
@@ -260,10 +270,11 @@ func setupServerControllers(mgr ctrl.Manager, enableRegistry bool) error {
 
 	// Set up MCPRemoteProxy controller
 	if err := (&controllers.MCPRemoteProxyReconciler{
-		Client:           mgr.GetClient(),
-		Scheme:           mgr.GetScheme(),
-		Recorder:         mgr.GetEventRecorderFor("mcpremoteproxy-controller"),
-		PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
+		Client:              mgr.GetClient(),
+		Scheme:              mgr.GetScheme(),
+		Recorder:            mgr.GetEventRecorderFor("mcpremoteproxy-controller"),
+		PlatformDetector:    ctrlutil.NewSharedPlatformDetector(),
+		DisableWorkloadRBAC: disableWorkloadRBAC,
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPRemoteProxy: %w", err)
 	}
@@ -283,8 +294,11 @@ func setupServerControllers(mgr ctrl.Manager, enableRegistry bool) error {
 }
 
 // setupRegistryController sets up the MCPRegistry controller
-func setupRegistryController(mgr ctrl.Manager) error {
-	if err := (controllers.NewMCPRegistryReconciler(mgr.GetClient(), mgr.GetScheme())).SetupWithManager(mgr); err != nil {
+func setupRegistryController(mgr ctrl.Manager, disableWorkloadRBAC bool) error {
+	reconciler := controllers.NewMCPRegistryReconciler(
+		mgr.GetClient(), mgr.GetScheme(), disableWorkloadRBAC,
+	)
+	if err := reconciler.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPRegistry: %w", err)
 	}
 	return nil
@@ -294,7 +308,7 @@ func setupRegistryController(mgr ctrl.Manager) error {
 // (MCPGroup, VirtualMCPServer, and their webhooks)
 // Note: This function assumes server controllers are enabled (enforced by dependency check)
 // The field index for MCPServer.Spec.GroupRef is created in setupServerControllers
-func setupAggregationControllers(mgr ctrl.Manager) error {
+func setupAggregationControllers(mgr ctrl.Manager, disableWorkloadRBAC bool) error {
 	// Set up MCPGroup controller
 	if err := (&controllers.MCPGroupReconciler{
 		Client: mgr.GetClient(),
@@ -304,10 +318,11 @@ func setupAggregationControllers(mgr ctrl.Manager) error {
 
 	// Set up VirtualMCPServer controller
 	if err := (&controllers.VirtualMCPServerReconciler{
-		Client:           mgr.GetClient(),
-		Scheme:           mgr.GetScheme(),
-		Recorder:         mgr.GetEventRecorderFor("virtualmcpserver-controller"),
-		PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
+		Client:              mgr.GetClient(),
+		Scheme:              mgr.GetScheme(),
+		Recorder:            mgr.GetEventRecorderFor("virtualmcpserver-controller"),
+		PlatformDetector:    ctrlutil.NewSharedPlatformDetector(),
+		DisableWorkloadRBAC: disableWorkloadRBAC,
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller VirtualMCPServer: %w", err)
 	}

cmd/thv-operator/pkg/registryapi/manager.go

@@ -21,20 +21,23 @@ import (
 
 // manager implements the Manager interface
 type manager struct {
-	client     client.Client
-	scheme     *runtime.Scheme
-	kubeHelper *kubernetes.Client
+	client              client.Client
+	scheme              *runtime.Scheme
+	kubeHelper          *kubernetes.Client
+	disableWorkloadRBAC bool
 }
 
 // NewManager creates a new registry API manager
 func NewManager(
 	k8sClient client.Client,
 	scheme *runtime.Scheme,
+	disableWorkloadRBAC bool,
 ) Manager {
 	return &manager{
-		client:     k8sClient,
-		scheme:     scheme,
-		kubeHelper: kubernetes.NewClient(k8sClient, scheme),
+		client:              k8sClient,
+		scheme:              scheme,
+		kubeHelper:          kubernetes.NewClient(k8sClient, scheme),
+		disableWorkloadRBAC: disableWorkloadRBAC,
 	}
 }