Value Statement

As an ACM user, I need to copy secrets outside of the root policy namespace on the Hub to managed clusters using Hub policy templates so that I don't need to create an additional Hub-only policy that copies this secret.

Definition of Done for Engineering Story Owner (Checklist)

• A user can define a Role/ClusterRole and RoleBinding/ClusterRoleBinding that gives additional permissions to the Policy's Hub policy templates outside of its namespace.
• go-template-utils is modified to perform a subject access review on behalf of the Policy when a Hub policy template wants to escape the policy namespace.
• go-template-utils is updated in the Policy Propagator.

Development Complete

• The code is complete.
• Functionality is working.
• Any required downstream Docker file changes are made.

Tests Automated

• [ ] Unit/function tests have been automated and incorporated into the
  build.
• [ ] 100% automated unit/function test coverage for new or changed APIs.

Secure Design

• [ ] Security has been assessed and incorporated into your threat model.

Multidisciplinary Teams Readiness

• [ ] Create an informative documentation issue using the [Customer
  Portal_doc_issue template](
  https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
  and ensure doc acceptance criteria is met. Link the development issue to
  the doc issue.
• [ ] Provide input to the QE team, and ensure QE acceptance criteria
  (established between story owner and QE focal) are met.

Support Readiness

• [ ] The must-gather script has been updated.