From 572224c0c9c8a6d18ec1ab58d1963da01afd42a5 Mon Sep 17 00:00:00 2001
From: Omer Turner <oamsalem@redhat.com>
Date: Fri, 7 Nov 2025 23:05:40 +0900
Subject: [PATCH] chore(KFLUXSPRT-3001): add production policies for
 konflux-support read access (Wave 2)

Add ClusterPolicy for production environment to automatically generate
konflux-read-only-binding RoleBinding in tenant namespaces, granting
konflux-sre and ai-konflux-user-support view access.

This is Wave 2 of a ring deployment, targeting the following clusters:
- stone-prod-p02
- stone-prd-rh01

The policy is deployed via cluster-specific kustomization references
rather than the shared base to enable controlled rollout.

Signed-off-by: Omer Turner <oamsalem@redhat.com>
---
 .../konflux-support-viewer-access/OWNERS      |  9 ++++
 ...port-viewer-rolebinding-clusterpolicy.yaml | 52 +++++++++++++++++++
 .../kustomization.yaml                        |  7 +++
 .../kyverno_rbac.yaml                         | 51 ++++++++++++++++++
 .../stone-prd-rh01/kustomization.yaml         |  1 +
 .../stone-prod-p02/kustomization.yaml         |  1 +
 6 files changed, 121 insertions(+)
 create mode 100644 components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS
 create mode 100644 components/policies/production/base/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
 create mode 100644 components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
 create mode 100644 components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml

diff --git a/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS
new file mode 100644
index 00000000000..06810a06f87
--- /dev/null
+++ b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS
@@ -0,0 +1,9 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+reviewers:
+- gbenhaim
+- filariow
+- sadlerap
+- Omeramsc
+
+
diff --git a/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
new file mode 100644
index 00000000000..7e46166a3c9
--- /dev/null
+++ b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
@@ -0,0 +1,52 @@
+---
+# This ClusterPolicy automatically generates a RoleBinding in all tenant namespaces
+# to grant read-only access to the 'konflux-sre' and 'ai-konflux-user-support' groups.
+#
+# This policy is designed to ensure that these groups have consistent
+# visibility across tenant namespaces for monitoring, troubleshooting, or support.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-read-only-rolebinding
+  annotations:
+    policies.kyverno.io/title: "Generate Read-Only RoleBinding for Konflux support and sre Groups"
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/description: >-
+      This policy automatically generates a RoleBinding in all tenant namespaces.
+      The RoleBinding binds the 'konflux-sre' and 'ai-konflux-user-support'
+      groups to the Konflux-specific 'konflux-viewer-user-actions' ClusterRole,
+      granting them comprehensive read-only access to resources within each tenant namespace,
+      therefore allowing better, fast and streamlined support.
+spec:
+  background: false
+  rules:
+    - name: generate-read-only-rolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - /v1/Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      generate:
+        generateExisting: true
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: konflux-read-only-binding
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          subjects:
+            - kind: Group
+              name: konflux-sre
+              apiGroup: rbac.authorization.k8s.io
+            - kind: Group
+              name: ai-konflux-user-support
+              apiGroup: rbac.authorization.k8s.io
+          roleRef:
+            kind: ClusterRole
+            name: konflux-viewer-user-actions
+            apiGroup: rbac.authorization.k8s.io
+
diff --git a/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
new file mode 100644
index 00000000000..1fcec143e2f
--- /dev/null
+++ b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: konflux-rbac-
+resources:
+- generate-support-viewer-rolebinding-clusterpolicy.yaml
+- kyverno_rbac.yaml
+
diff --git a/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
new file mode 100644
index 00000000000..c307e9d6560
--- /dev/null
+++ b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:generate-support-viewer-rolebinding
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-support-rolebindings
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+---
+# To allow kyverno to create the RoleBinding,
+# the kyverno-background-controller's ServiceAccount
+# needs to have the same permissions it wants to assign
+# to someone else
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-background:konflux-viewer-user-actions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: konflux-viewer-user-actions
+subjects:
+- kind: ServiceAccount
+  namespace: konflux-kyverno
+  name: kyverno-background-controller
+
diff --git a/components/policies/production/stone-prd-rh01/kustomization.yaml b/components/policies/production/stone-prd-rh01/kustomization.yaml
index 5088ede4222..e16e2bf22c6 100644
--- a/components/policies/production/stone-prd-rh01/kustomization.yaml
+++ b/components/policies/production/stone-prd-rh01/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../base
+- ../base/konflux-rbac/konflux-support-viewer-access/
 - ../policies/kueue/
 - ../policies/kubearchive/
diff --git a/components/policies/production/stone-prod-p02/kustomization.yaml b/components/policies/production/stone-prod-p02/kustomization.yaml
index 018149cb4d9..8937f986861 100644
--- a/components/policies/production/stone-prod-p02/kustomization.yaml
+++ b/components/policies/production/stone-prod-p02/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../base
+- ../base/konflux-rbac/konflux-support-viewer-access/
 - ../policies/kubearchive/
 - ../policies/kueue/