Skip to content

chore(KFLUXSPRT-3001): konflux-support read access in all namespaces #8750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore(KFLUXSPRT-3001): konflux-support read access in all namespaces #8750

wants to merge 5 commits into from
+116 −0

Conversation

@Omeramsc
Copy link
Member

@Omeramsc Omeramsc commented Oct 21, 2025

introduces a ClusterPolicy to automatically generate the konflux-read-only-binding RoleBinding in all application namespaces, granting konflux-sre and ai-konflux-user-support view access via the konflux-viewer-user-actions ClusterRole.

  • The policy explicitly uses synchronize: true and background: true, overriding general Kyverno performance best practices. This is intentional to ensure non-negotiable support access:

  • background: true: Required for immediate retroactive application to all existing Konflux tenant namespaces.

  • synchronize: true: Required to make the RoleBinding self-healing. If an application user or process deletes the binding, Kyverno automatically reinstates it, guaranteeing persistent visibility for SRE/Support teams.

Assisted-by: Cursor

@openshift-ci openshift-ci bot requested review from filariow and sadlerap October 21, 2025 10:55
@github-actions
Copy link
Contributor

github-actions bot commented Oct 21, 2025

🤖 Gemini AI Assistant Available

Hi @Omeramsc! I'm here to help with your pull request. You can interact with me using the following commands:

Available Commands

  • @gemini-cli /review - Request a comprehensive code review

    • Example: @gemini-cli /review Please focus on security and performance

  • @gemini-cli <your question> - Ask me anything about the codebase

    • Example: @gemini-cli How can I improve this function?
    • Example: @gemini-cli What are the best practices for error handling here?

How to Use

  1. Simply type one of the commands above in a comment on this PR
  2. I'll analyze your code and provide detailed feedback
  3. You can track my progress in the workflow logs

Permissions

Only OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage.

This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 21, 2025

🤖 Hi @Omeramsc, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

@sadlerap
Copy link
Contributor

sadlerap commented Oct 23, 2025

As a heads up, looks like yamllint throws a few warnings from your changes.

@Omeramsc Omeramsc force-pushed the KFLUXSPRT-3001 branch 2 times, most recently from f7f9922 to 8eb6cca Compare October 24, 2025 03:28
filariow
filariow requested changes Oct 24, 2025
View reviewed changes
Copy link
Member

@filariow filariow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work! 👍🏾

This PR is updating dev/staging/production at the same time. We should target dev/stage first, then production. Can you split them?

These kind of policies (synchronize, generateExisting) can put a lot of pressure on kyverno and on the cluster, we should check kyverno performance and -in case- increase resource requests/limits.

@Omeramsc
chore(KFLUXSPRT-3001): konflux-support read access in all namespaces
08fdfd2 
introduces a ClusterPolicy to automatically generate the
konflux-read-only-binding RoleBinding in all application namespaces,
granting konflux-sre and ai-konflux-user-support view access via the
konflux-viewer-user-actions ClusterRole.

- The policy explicitly uses synchronize: true and background: true,
overriding general Kyverno performance best practices.
This is intentional to ensure non-negotiable support access:

- background: true: Required for immediate retroactive application
to all existing Konflux tenant namespaces.

- synchronize: true: Required to make the RoleBinding self-healing.
If an application user or process deletes the binding, Kyverno
automatically reinstates it, guaranteeing persistent visibility for
SRE/Support teams.

Assisted-by: Cursor
Signed-off-by: Omer Turner <[email protected]>
@Omeramsc
Copy link
Member Author

Omeramsc commented Oct 27, 2025

added #8841 with changes to production

@gbenhaim
Copy link
Member

gbenhaim commented Oct 27, 2025

we already have [1] https://github.com/redhat-appstudio/infra-deployments/blob/main/components/authentication/base/everyone-can-view.yaml why do we need to use a policy for generating the role bindings? is it going to replace [1]?

filariow
filariow approved these changes Oct 27, 2025
View reviewed changes
Copy link
Member

@filariow filariow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 27, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: filariow, Omeramsc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@filariow
Copy link
Member

filariow commented Oct 27, 2025

/test appstudio-upgrade-tests

/hold
to allow you to reply to @gbenhaim's comment

@Omeramsc
Copy link
Member Author

Omeramsc commented Oct 28, 2025

@gbenhaim I wasn't aware of that policy, but it seems like the two serve similar, but different purposes.
the new policy is not static, but is using self-healing via Kyverno to recreate it if deleted by a tenant. it also automatically applies to new tenant namespaces. is that available with everyone-can-view?

the new policy also is specific to the two groups, konflux-sre and ai-konflux-user-support. although as mention before we may make it even more, user-specific, to have access via the UI as well.

@gbenhaim
Copy link
Member

gbenhaim commented Oct 28, 2025

everyone-can-view is applied to all namespaces. The benefit of using the policy is that than permissions would be given only in tenant namespaces. I support this change since its more secure, but I think it should replace everyone-can-view.
@hugares @filariow thoughs?

@hugares
Copy link
Contributor

hugares commented Oct 28, 2025

everyone-can-view is applied to all namespaces. The benefit of using the policy is that than permissions would be given only in tenant namespaces. I support this change since its more secure, but I think it should replace everyone-can-view. @hugares @filariow thoughs?

Everyone-can-view clusterrole that we grant to all Konflux dev is different that this policy. everyone-can-view basically grant view access to a lot of resources in the OCP cluster and having access to those can help troubleshooting things but it does not grant access to the tenants NS from Konflux UI, which this PR is addressing.

everyone-can view cover the use case of Konflux dev accessing tenants ns using back door but also when they need to access Konflux control plane resources, pods, logs,... of the Konflux services. We can always get rid of it but we will need to beef up the permissions granted for each konflux components before removing it otherwise we cannot troubleshoot Konflux issues

@gbenhaim
Copy link
Member

gbenhaim commented Oct 30, 2025

| but it does not grant access to the tenants NS from Konflux UI, which this PR is addressing.

This pr is one step in this way, but not a full implementation since it gives the permissions to groups which the ui currently not support.

@gbenhaim
Copy link
Member

gbenhaim commented Oct 30, 2025

/lgtm
@filariow feel free to merge it.

@Omeramsc
Copy link
Member Author

Omeramsc commented Oct 30, 2025

@gbenhaim I think we should start with this approach, once this is merged I'll see how can we set all the required user, and then proceed with the same approach on prod.
my team's ETA for this feature is Nov 20th, and hopefully way before, so we are planning on getting it done soon.

@openshift-ci openshift-ci bot removed the lgtm label Oct 30, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

New changes are detected. LGTM label has been removed.

@Omeramsc
Copy link
Member Author

Omeramsc commented Nov 6, 2025

@filariow @hugares can this be merged?

@openshift-ci
Copy link

openshift-ci bot commented Nov 6, 2025

@Omeramsc: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/appstudio-e2e-tests 8f05ec2 link true /test appstudio-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sadlerap sadlerap sadlerap left review comments

@filariow filariow filariow approved these changes

Assignees

@gbenhaim gbenhaim

@filariow filariow

Labels

approved do-not-merge/hold

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Omeramsc @sadlerap @gbenhaim @filariow @hugares