Skip to content

chore(KFLUXSPRT-3001): add production policies for konflux-support read access #8841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(KFLUXSPRT-3001): add production policies for konflux-support read access #8841

wants to merge 2 commits into from
+232 −0

Conversation

@Omeramsc
Copy link
Member

@Omeramsc Omeramsc commented Oct 27, 2025

Add ClusterPolicy for production environment to automatically generate konflux-read-only-binding RoleBinding in tenant namespaces, granting konflux-sre and ai-konflux-user-support view access.

@Omeramsc
chore(KFLUXSPRT-3001): konflux-support read access in all namespaces
08fdfd2 
introduces a ClusterPolicy to automatically generate the
konflux-read-only-binding RoleBinding in all application namespaces,
granting konflux-sre and ai-konflux-user-support view access via the
konflux-viewer-user-actions ClusterRole.

- The policy explicitly uses synchronize: true and background: true,
overriding general Kyverno performance best practices.
This is intentional to ensure non-negotiable support access:

- background: true: Required for immediate retroactive application
to all existing Konflux tenant namespaces.

- synchronize: true: Required to make the RoleBinding self-healing.
If an application user or process deletes the binding, Kyverno
automatically reinstates it, guaranteeing persistent visibility for
SRE/Support teams.

Assisted-by: Cursor
Signed-off-by: Omer Turner <[email protected]>
@Omeramsc
chore(KFLUXSPRT-3001): add production policies for konflux-support re…
bed3b17 
…ad access

Add ClusterPolicy for production environment to automatically generate
konflux-read-only-binding RoleBinding in tenant namespaces, granting
konflux-sre and ai-konflux-user-support view access.

Signed-off-by: Omer Turner <[email protected]>
@openshift-ci openshift-ci bot requested review from filariow and gbenhaim October 27, 2025 11:15
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Omeramsc
Once this PR has been reviewed and has the lgtm label, please assign sadlerap for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Contributor

github-actions bot commented Oct 27, 2025

🤖 Gemini AI Assistant Available

Hi @Omeramsc! I'm here to help with your pull request. You can interact with me using the following commands:

Available Commands

  • @gemini-cli /review - Request a comprehensive code review

    • Example: @gemini-cli /review Please focus on security and performance

  • @gemini-cli <your question> - Ask me anything about the codebase

    • Example: @gemini-cli How can I improve this function?
    • Example: @gemini-cli What are the best practices for error handling here?

How to Use

  1. Simply type one of the commands above in a comment on this PR
  2. I'll analyze your code and provide detailed feedback
  3. You can track my progress in the workflow logs

Permissions

Only OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage.

This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 27, 2025

🤖 Hi @Omeramsc, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

@Omeramsc Omeramsc mentioned this pull request Oct 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@filariow filariow Awaiting requested review from filariow

@gbenhaim gbenhaim Awaiting requested review from gbenhaim

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Omeramsc