Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-10516

Reorganize RBAC for team cluster

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • Test Infrastructure
    • None
    • DEVAI Sprint 3278

      Task Description (Required)

      By default we currently give users on the team cluster, cluster-wide `edit` permissions, which could potentially be destructive when we have a number of services on the cluster that we rely upon for development. Instead, we should grant cluster-wide `view` permissions (read-only) by default, and grant write access to a limited set of namespaces:

      1. The user's personal namespace (what rosa-namespace-provisioner creates)
      2. rhoai-workspace, to provide a sandbox to use RHOAI with

      To achieve this, we should reoganize the RBAC under authorization/ in rosa-gitops:

      • Have a top level ClusterRoleBinding and Group, redhat-ai-dev-users, granting access to the `view` ClusterRole
      • Additionally, have an additional Role and RoleBinding granting `edit` permissions in the rhoai-workspace namespace
      • Finally, update rosa-namespace-provisioner to create a RoleBinding for the user in their user namespace that gives them `edit` permissions in that namespace

              mvaldron Michael Valdron
              johnmcollier John Collier
              RHIDP - AI
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: