redhat-appstudio · openshift-merge-bot · Nov 7, 2025 · Oct 21, 2025 · Oct 30, 2025 · Nov 3, 2025
diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS b/components/policies/development/konflux-rbac/konflux-support-viewer-access/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+reviewers:
+- gbenhaim
+- filariow
+- sadlerap
+- Omeramsc
+
diff --git a/...rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml b/...rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
@@ -0,0 +1,51 @@
+---
+# This ClusterPolicy automatically generates a RoleBinding in all tenant namespaces
+# to grant read-only access to the 'konflux-sre' and 'ai-konflux-user-support' groups.
+#
+# This policy is designed to ensure that these groups have consistent
+# visibility across tenant namespaces for monitoring, troubleshooting, or support.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-read-only-rolebinding
+  annotations:
+    policies.kyverno.io/title: "Generate Read-Only RoleBinding for Konflux support and sre Groups"
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/description: >-
+      This policy automatically generates a RoleBinding in all tenant namespaces.
+      The RoleBinding binds the 'konflux-sre' and 'ai-konflux-user-support'
+      groups to the Konflux-specific 'konflux-viewer-user-actions' ClusterRole,
+      granting them comprehensive read-only access to resources within each tenant namespace,
+      therefore allowing better, fast and streamlined support.
+spec:
+  background: false
+  rules:
+    - name: generate-read-only-rolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - /v1/Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      generate:
+        generateExisting: true
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: konflux-read-only-binding
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          subjects:
+            - kind: Group
+              name: konflux-sre
+              apiGroup: rbac.authorization.k8s.io
+            - kind: Group
+              name: ai-konflux-user-support
+              apiGroup: rbac.authorization.k8s.io
+          roleRef:
+            kind: ClusterRole
+            name: konflux-viewer-user-actions
+            apiGroup: rbac.authorization.k8s.io
diff --git a/...onents/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml b/...onents/policies/development/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: konflux-rbac-
+resources:
+- generate-support-viewer-rolebinding-clusterpolicy.yaml
+- kyverno_rbac.yaml
diff --git a/components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml b/components/policies/development/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:generate-support-viewer-rolebinding
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-support-rolebindings
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+---
+# To allow kyverno to create the RoleBinding,
+# the kyverno-background-controller's ServiceAccount
+# needs to have the same permissions it wants to assign
+# to someone else
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-background:konflux-viewer-user-actions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: konflux-viewer-user-actions
+subjects:
+- kind: ServiceAccount
+  namespace: konflux-kyverno
+  name: kyverno-background-controller
diff --git a/components/policies/development/konflux-rbac/kustomization.yaml b/components/policies/development/konflux-rbac/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - bootstrap-tenant-namespace/
+- konflux-support-viewer-access/
 - restrict-binding-system-authenticated/
 - restrict-binding-system-authenticated-releng/
 - validate-rolebindings/