redhat-appstudio · Omeramsc · Dec 7, 2025
diff --git a/...x-support-nslister-access/generate-support-nslister-clusterrolebinding-clusterpolicy.yaml b/...x-support-nslister-access/generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
@@ -0,0 +1,51 @@
+---
+# This ClusterPolicy automatically generates a ClusterRoleBinding for users
+# in the 'konflux-support' Group to enable namespace-lister access.
+#
+# The namespace-lister service checks for ClusterRoleBindings with the label
+# 'namespace-lister.konflux-ci.dev/use-for-access: true' and grants access
+# to tenant namespaces based on individual User subjects in those bindings.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-nslister-clusterrolebinding
+  annotations:
+    policies.kyverno.io/title: "Generate ClusterRoleBinding for konflux-support Group Users"
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/description: >-
+      This policy automatically generates a ClusterRoleBinding for all users
+      in the 'konflux-support' Group. The ClusterRoleBinding includes the
+      label 'namespace-lister.konflux-ci.dev/use-for-access: true' which
+      enables namespace-lister to grant these users access to tenant namespaces.
+      The binding is synchronized with the Group, so any changes to group
+      membership are automatically reflected in the ClusterRoleBinding.
+spec:
+  rules:
+    - name: generate-nslister-clusterrolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - user.openshift.io/v1/Group
+            names:
+            - konflux-support
+      context:
+        - name: userSubjects
+          variable:
+            jmesPath: "request.object.users[] | [].{kind: 'User', apiGroup: 'rbac.authorization.k8s.io', name: @}"
+      generate:
+        generateExisting: true
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        name: konflux-support-nslister
+        data:
+          metadata:
+            labels:
+              namespace-lister.konflux-ci.dev/use-for-access: 'true'
+          subjects: "{{ userSubjects }}"
+          roleRef:
+            kind: ClusterRole
+            name: view
+            apiGroup: rbac.authorization.k8s.io
diff --git a/.../policies/production/base/konflux-rbac/konflux-support-nslister-access/kustomization.yaml b/.../policies/production/base/konflux-rbac/konflux-support-nslister-access/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: konflux-rbac-
+resources:
+- generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+- kyverno_rbac.yaml
+
diff --git a/...s/policies/production/base/konflux-rbac/konflux-support-nslister-access/kyverno_rbac.yaml b/...s/policies/production/base/konflux-rbac/konflux-support-nslister-access/kyverno_rbac.yaml
@@ -0,0 +1,61 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:read-groups
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - user.openshift.io
+  resources:
+  - groups
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-support-clusterrolebindings
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - user.openshift.io
+  resources:
+  - groups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+  - patch
+---
+# To allow kyverno to create the ClusterRoleBinding,
+# the kyverno-background-controller's ServiceAccount
+# needs to have the same permissions it wants to assign
+# to someone else (the 'view' ClusterRole)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-background:view-for-nslister
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  namespace: konflux-kyverno
+  name: kyverno-background-controller
+
diff --git a/components/policies/production/base/konflux-rbac/kustomization.yaml b/components/policies/production/base/konflux-rbac/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
 - bootstrap-tenant-namespace/
 - konflux-support-viewer-access/
+- konflux-support-nslister-access/
 - restrict-binding-sysauth/
 - restrict-binding-system-authenticated-releng/
 - validate-rolebindings/