From 08fdfd2eebd21a3964069ca7726c86cb5f4b7922 Mon Sep 17 00:00:00 2001
From: Omer Turner <oamsalem@redhat.com>
Date: Tue, 21 Oct 2025 19:44:34 +0900
Subject: [PATCH] chore(KFLUXSPRT-3001): konflux-support read access in all
 namespaces

introduces a ClusterPolicy to automatically generate the
konflux-read-only-binding RoleBinding in all application namespaces,
granting konflux-sre and ai-konflux-user-support view access via the
konflux-viewer-user-actions ClusterRole.

- The policy explicitly uses synchronize: true and background: true,
overriding general Kyverno performance best practices.
This is intentional to ensure non-negotiable support access:

- background: true: Required for immediate retroactive application
to all existing Konflux tenant namespaces.

- synchronize: true: Required to make the RoleBinding self-healing.
If an application user or process deletes the binding, Kyverno
automatically reinstates it, guaranteeing persistent visibility for
SRE/Support teams.

Assisted-by: Cursor
Signed-off-by: Omer Turner <oamsalem@redhat.com>
---
 .../konflux-support-viewer-access/OWNERS      |  8 +++
 ...port-viewer-rolebinding-clusterpolicy.yaml | 51 +++++++++++++++++++
 .../kustomization.yaml                        |  6 +++
 .../kyverno_rbac.yaml                         | 50 ++++++++++++++++++
 .../konflux-rbac/kustomization.yaml           |  1 +
 5 files changed, 116 insertions(+)
 create mode 100644 components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS
 create mode 100644 components/policies/development/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
 create mode 100644 components/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
 create mode 100644 components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml

diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS b/components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS
new file mode 100644
index 00000000000..fcdb15ccc5d
--- /dev/null
+++ b/components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+reviewers:
+- gbenhaim
+- filariow
+- sadlerap
+- Omeramsc
+
diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml b/components/policies/development/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
new file mode 100644
index 00000000000..99691415d59
--- /dev/null
+++ b/components/policies/development/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
@@ -0,0 +1,51 @@
+---
+# This ClusterPolicy automatically generates a RoleBinding in all tenant namespaces
+# to grant read-only access to the 'konflux-sre' and 'ai-konflux-user-support' groups.
+#
+# This policy is designed to ensure that these groups have consistent
+# visibility across tenant namespaces for monitoring, troubleshooting, or support.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-read-only-rolebinding
+  annotations:
+    policies.kyverno.io/title: "Generate Read-Only RoleBinding for Konflux support and sre Groups"
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/description: >-
+      This policy automatically generates a RoleBinding in all tenant namespaces.
+      The RoleBinding binds the 'konflux-sre' and 'ai-konflux-user-support'
+      groups to the Konflux-specific 'konflux-viewer-user-actions' ClusterRole,
+      granting them comprehensive read-only access to resources within each tenant namespace,
+      therefore allowing better, fast and streamlined support.
+spec:
+  background: false
+  rules:
+    - name: generate-read-only-rolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - /v1/Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      generate:
+        generateExisting: true
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: konflux-read-only-binding
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          subjects:
+            - kind: Group
+              name: konflux-sre
+              apiGroup: rbac.authorization.k8s.io
+            - kind: Group
+              name: ai-konflux-user-support
+              apiGroup: rbac.authorization.k8s.io
+          roleRef:
+            kind: ClusterRole
+            name: konflux-viewer-user-actions
+            apiGroup: rbac.authorization.k8s.io
diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml b/components/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
new file mode 100644
index 00000000000..1102a14e7f0
--- /dev/null
+++ b/components/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: konflux-rbac-
+resources:
+- generate-support-viewer-rolebinding-clusterpolicy.yaml
+- kyverno_rbac.yaml
diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml b/components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
new file mode 100644
index 00000000000..ebbc54b51ed
--- /dev/null
+++ b/components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:generate-support-viewer-rolebinding
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-support-rolebindings
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+---
+# To allow kyverno to create the RoleBinding,
+# the kyverno-background-controller's ServiceAccount
+# needs to have the same permissions it wants to assign
+# to someone else
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-background:konflux-viewer-user-actions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: konflux-viewer-user-actions
+subjects:
+- kind: ServiceAccount
+  namespace: konflux-kyverno
+  name: kyverno-background-controller
diff --git a/components/policies/development/konflux-rbac/kustomization.yaml b/components/policies/development/konflux-rbac/kustomization.yaml
index ee47e6a9153..367c0c7345d 100644
--- a/components/policies/development/konflux-rbac/kustomization.yaml
+++ b/components/policies/development/konflux-rbac/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - bootstrap-tenant-namespace/
+- konflux-support-viewer-access/
 - restrict-binding-system-authenticated/
 - restrict-binding-system-authenticated-releng/
 - validate-rolebindings/