docs (k8s): Manage Groups and ACLs with the Redpanda Operator

[david-yu]

Summary

• Adds new documentation page for the Group CRD introduced in redpanda-data/redpanda-operator#1281
• Covers managing ACLs for OIDC groups using the Group custom resource, including creating, updating, and deleting group ACLs
• Adds example manifests via a feature file for include:: directives
• Updates the sidebar navigation to include the new page under Manage > Security > Authentication and Authorization

Context

PR redpanda-data/redpanda-operator#1281 adds a new Group CRD that allows managing Kafka ACLs for OIDC group principals. This doc page follows the same structure as the existing Manage Roles and ACLs page and covers:

• What groups are and why use them (OIDC-based access control)
• Prerequisites (Operator v25.3+, Redpanda v26.1+, OIDC configured)
• Creating Group resources with and without ACLs
• Configuration guidance (group naming, cluster reference, authorization rules)
• Deploying, verifying, updating, and deleting groups
• Best practices for group design, permission management, and integration with User/Role resources

New files

File	Description
modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc	Main documentation page
modules/manage/examples/kubernetes/group-crds.feature	Example manifests for include:: directives

Modified files

File	Description
modules/ROOT/nav.adoc	Added sidebar entry under Authentication and Authorization

Test plan

• Verify page renders correctly in local Antora build
• Verify include:: directives resolve the tagged example correctly
• Verify sidebar navigation shows the new page in the correct location
• Cross-check ACL field names and values against the Group CRD spec

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	35bde6b
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/69cbe9aa5dfd410008e61531
😎 Deploy Preview	https://deploy-preview-1639--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8836205a-cb73-47ec-93b9-f9f76ddcc958

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds documentation and testing infrastructure for the Redpanda Operator's Group controller. Changes include a navigation entry pointing to a new documentation page, a new feature test file that validates Group CRD behavior with OIDC-backed group principals, and comprehensive documentation describing how to manage Kafka ACLs through Group custom resources. The documentation covers prerequisites, configuration options, deployment patterns, operational procedures, and best practices for the Group controller.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Possibly related PRs

• docs (k8s): Add CRD source file references to CRD index page #1634: Adds CRD source file references including the Group CRD, complementing the Group controller documentation introduced in this PR.

Suggested reviewers

• micheleRP
• chrisseto
• andrewstucki
• sago2k8

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is comprehensive and follows most of the template structure, but is missing the required JIRA ticket link and page preview URLs, and does not explicitly check any of the provided checkboxes.	Add the JIRA ticket link (Resolves https://redpandadata.atlassian.net/browse/), Netlify preview URLs for the new documentation page, and check the appropriate checkbox (likely 'New feature' or 'Content gap') in the Checks section.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding documentation for managing Groups and ACLs with the Redpanda Operator on Kubernetes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

modules/ROOT/nav.adoc (1)

137-137: Consider using empty xref brackets for auto-title rendering.

The navigation entry uses hardcoded link text. Based on learnings, prefer xref:manage:kubernetes/security/authorization/k-group-controller.adoc[] with empty brackets so the target document's title renders automatically. This improves maintainability when page titles change.

Note: The sibling entries (lines 135-136) also use hardcoded text and could benefit from the same pattern.

Based on learnings: AsciiDoc linking: prefer using xref links with empty brackets (e.g., xref:section/target.adoc[]) because the title is pulled from the referenced document automatically.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/ROOT/nav.adoc` at line 137, Update the hardcoded xref link text to
use AsciiDoc's auto-title rendering by replacing the current
xref:manage:kubernetes/security/authorization/k-group-controller.adoc[Manage
Groups and ACLs (Operator)] with an empty-bracket form
xref:manage:kubernetes/security/authorization/k-group-controller.adoc[]; apply
the same change to the sibling entries on lines near the shown xref so the
referenced documents supply their titles automatically and reduce maintenance
when titles change.

modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc (1)

77-89: Clarify "cluster source" terminology.

Line 83 states "The cluster source is immutable" but this section discusses the spec.cluster field. Consider using "cluster reference" instead of "cluster source" for clarity, as this matches the field name clusterRef.

📝 Proposed fix

-- *Stable*: Avoid changing group names, as this involves deleting and recreating the Group resource. The cluster source is immutable.
+- *Stable*: Avoid changing group names, as this involves deleting and recreating the Group resource. The cluster reference is immutable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc`
around lines 77 - 89, Replace the ambiguous phrase "cluster source" with
"cluster reference" to match the actual field name used in the Group spec
(spec.cluster / clusterRef); update the sentence that reads "The cluster source
is immutable" to instead reference the cluster reference (e.g., "The cluster
reference is immutable") so the wording aligns with the spec.cluster/clusterRef
terminology and avoids confusion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/manage/examples/kubernetes/group-crds.feature`:
- Around line 39-40: The ACL count assertion is wrong: update the step text
'Then group "engineering" should have 2 ACLs for topic pattern "team-" in
cluster "sasl"' in group-crds.feature to match the manifest; replace it with
'Then group "engineering" should have 2 ACLs in cluster "sasl"' (to count both
topic and subject ACLs) so the step definition that filters by resource type no
longer miscounts.

In
`@modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc`:
- Around line 20-28: The xref on the prerequisites line uses the wrong path;
open the file k-group-controller.adoc and replace the invalid cross-reference
xref:deploy:deployment-option/self-hosted/kubernetes/k-production-deployment.adoc
with the correct xref target
xref:deploy:redpanda/kubernetes/k-production-deployment.adoc (update the string
in the bullet that references "Redpanda Operator"). Keep the xref syntax
unchanged except for the path segment so the link resolves to the existing
modules/deploy/pages/redpanda/kubernetes/k-production-deployment.adoc file.

---

Nitpick comments:
In
`@modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc`:
- Around line 77-89: Replace the ambiguous phrase "cluster source" with "cluster
reference" to match the actual field name used in the Group spec (spec.cluster /
clusterRef); update the sentence that reads "The cluster source is immutable" to
instead reference the cluster reference (e.g., "The cluster reference is
immutable") so the wording aligns with the spec.cluster/clusterRef terminology
and avoids confusion.

In `@modules/ROOT/nav.adoc`:
- Line 137: Update the hardcoded xref link text to use AsciiDoc's auto-title
rendering by replacing the current
xref:manage:kubernetes/security/authorization/k-group-controller.adoc[Manage
Groups and ACLs (Operator)] with an empty-bracket form
xref:manage:kubernetes/security/authorization/k-group-controller.adoc[]; apply
the same change to the sibling entries on lines near the shown xref so the
referenced documents supply their titles automatically and reduce maintenance
when titles change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ab09d64-f814-492f-8c3f-f4abb63566aa

📥 Commits

Reviewing files that changed from the base of the PR and between ce22489 and 5987568.

📒 Files selected for processing (3)

• modules/ROOT/nav.adoc
• modules/manage/examples/kubernetes/group-crds.feature
• modules/manage/pages/kubernetes/security/authorization/k-group-controller.adoc

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix the ACL count assertion.

Line 40 asserts "should have 2 ACLs for topic pattern team-" but the manifest defines only 1 topic ACL (lines 25-30) and 1 subject ACL (lines 31-36). If the step definition filters by resource type, this assertion would be incorrect.

Consider one of these fixes:

• Remove "for topic pattern" to count all ACLs: Then group "engineering" should have 2 ACLs in cluster "sasl"
• Change the count to 1: Then group "engineering" should have 1 ACL for topic pattern "team-" in cluster "sasl"
• Add a second assertion for subject ACLs: And group "engineering" should have 1 ACL for subject pattern "team-" in cluster "sasl"

🧪 Proposed fix: Assert all ACLs

     And group "engineering" is successfully synced
-    Then group "engineering" should have 2 ACLs for topic pattern "team-" in cluster "sasl"
+    Then group "engineering" should have 2 ACLs in cluster "sasl"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	And group "engineering" is successfully synced
	Then group "engineering" should have 2 ACLs for topic pattern "team-" in cluster "sasl"
	And group "engineering" is successfully synced
	Then group "engineering" should have 2 ACLs in cluster "sasl"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/manage/examples/kubernetes/group-crds.feature` around lines 39 - 40,
The ACL count assertion is wrong: update the step text 'Then group "engineering"
should have 2 ACLs for topic pattern "team-" in cluster "sasl"' in
group-crds.feature to match the manifest; replace it with 'Then group
"engineering" should have 2 ACLs in cluster "sasl"' (to count both topic and
subject ACLs) so the step definition that filters by resource type no longer
miscounts.

[david-yu]

@JakeSCahill Not sure if we need an enterprise license flash if GBAC is gated by enterprise licenses.

[david-yu]

Based on #1584 (comment) we should probably show an enterprise license info banner to help folks understand this is gated by an enterprise license.