As part of RHCLOUD-42278, we created a role that granted Kessel engineers access to rsh/exec into a running kessel-debug pod, as long as AppSRE spun the pod up. While this was initially approved, the ask is that we move over to a more defined and common process for AppSRE using the break glass process

The break glass process includes:

• A role that allows those with the role assignment the ability to run, rsh/exec, and delete the kessel debug pod themselves without AppSRE
• The break glass period is set via expirationDate on the role so that permission to perform the above is time boxed and requires AppSRE approval but not hands-on actions

This means the process to use kessel debug in prod would look like the following:

• Kessel member updates expiration on role – submits PR
• Kessel member with self-service permissions on the role can approve the PR
• Once expiration is update, requesting Kessel engineer can run and exec into the debug pod as needed