redhat-appstudio · Omeramsc · Nov 7, 2025
diff --git a/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS b/components/policies/production/base/konflux-rbac/konflux-support-viewer-access/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+reviewers:
+- gbenhaim
+- filariow
+- sadlerap
+- Omeramsc
+
diff --git a/...rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml b/...rbac/konflux-support-viewer-access/generate-support-viewer-rolebinding-clusterpolicy.yaml
@@ -0,0 +1,68 @@
+---
+# This ClusterPolicy automatically generates a RoleBinding in all tenant namespaces
+# to grant read-only access to the 'konflux-sre' and 'ai-konflux-user-support' groups,
+# as well as individual users listed in the konflux-support-users ConfigMap.
+#
+# This policy is designed to ensure that these groups and users have consistent
+# visibility across tenant namespaces for monitoring, troubleshooting, or support.
+# 
+# Individual user access is required for the Konflux UI, which only supports
+# User subjects (not Group subjects) for authentication.
+
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-read-only-rolebinding
+  annotations:
+    policies.kyverno.io/title: "Generate Read-Only RoleBinding for Konflux Support Users and Groups"
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/description: >-
+      This policy automatically generates a RoleBinding in all tenant namespaces.
+      The RoleBinding binds the 'konflux-sre' and 'ai-konflux-user-support' groups,
+      plus individual support users from a ConfigMap, to the Konflux-specific
+      'konflux-viewer-user-actions' ClusterRole, granting them comprehensive
+      read-only access to resources within each tenant namespace, therefore
+      allowing better, fast and streamlined support via both CLI and UI.
+spec:
+  background: false
+  rules:
+    - name: generate-read-only-rolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - /v1/Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      context:
+      - name: supportUsers
+        configMap:
+          name: konflux-rbac-konflux-support-users
+          namespace: konflux-policies
+      generate:
+        generateExisting: true
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: konflux-read-only-binding
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          subjects: |-
+            {{ 
+              concat(
+                '[
+                  {"kind": "Group", "name": "konflux-sre", "apiGroup": "rbac.authorization.k8s.io"},
+                  {"kind": "Group", "name": "ai-konflux-user-support", "apiGroup": "rbac.authorization.k8s.io"}',
+                split(supportUsers.data.users, '\n') | 
+                  map(&trim(@), @) | 
+                  [?@ != ''] | 
+                  map(&concat(',{"kind": "User", "name": "', @, '", "apiGroup": "rbac.authorization.k8s.io"}'), @) | 
+                  join('', @),
+                ']'
+              ) | parse_json(@)
+            }}
+          roleRef:
+            kind: ClusterRole
+            name: konflux-viewer-user-actions
+            apiGroup: rbac.authorization.k8s.io
diff --git a/...ts/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml b/...ts/policies/production/base/konflux-rbac/konflux-support-viewer-access/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namePrefix: konflux-rbac-
+resources:
+- support-users-configmap.yaml
+- generate-support-viewer-rolebinding-clusterpolicy.yaml
+- kyverno_rbac.yaml
diff --git a/...nts/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml b/...nts/policies/production/base/konflux-rbac/konflux-support-viewer-access/kyverno_rbac.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-admission:generate-support-viewer-rolebinding
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - list
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-background:manage-support-rolebindings
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+---
+# To allow kyverno to create the RoleBinding,
+# the kyverno-background-controller's ServiceAccount
+# needs to have the same permissions it wants to assign
+# to someone else
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno-background:konflux-viewer-user-actions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: konflux-viewer-user-actions
+subjects:
+- kind: ServiceAccount
+  namespace: konflux-kyverno
+  name: kyverno-background-controller
diff --git a/...s/production/base/konflux-rbac/konflux-support-viewer-access/support-users-configmap.yaml b/...s/production/base/konflux-rbac/konflux-support-viewer-access/support-users-configmap.yaml
@@ -0,0 +1,244 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: konflux-support-users
+  namespace: konflux-policies
+data:
+  # List of users who should have viewer access to tenant namespaces
+  # This list is manually maintained and includes:
+  # - All stonesoup team members
+  # - Users from the konflux-users-support-ic schedule (across multiple teams)
+  # Source: app-interface-confirmed repository
+  # Total users: 229
+  users: |
+    abarbaro
+    abiton
+    abraverm
+    acanan
+    achernet
+    acmiel
+    adecause
+    adkaplan
+    afred
+    agonsorc
+    alemay
+    alvalent
+    amarchuk
+    amcnamar
+    amisstea
+    anjoseph
+    ansadler
+    aormandy
+    aovchinn
+    araszka
+    asabadra
+    ascerra
+    ashwkuma
+    asrodrig
+    athorp
+    avinkuma
+    balkov
+    bcook
+    bhills
+    bkorren
+    bmuthuka
+    bpimente
+    brainfor
+    bramos
+    breilly
+    bsivasub
+    caevans
+    catoconn
+    cbanavik
+    chuo
+    cmaringa
+    cmarulas
+    cqi
+    damoreno
+    daturece
+    dbaez
+    dfodor
+    dgemoli
+    dgregor
+    djodha
+    dperaza
+    dtodorov
+    dvolkov
+    dwalluck
+    edsantos
+    eedri
+    eisraeli
+    ekeefe
+    elgerman
+    ergonzal
+    eskultet
+    falrayes
+    fdiprete
+    filario
+    flacatus
+    fnikolov
+    gallen
+    gasoares
+    gbenhaim
+    ghartuv
+    gli
+    gsun
+    hares
+    haripate
+    hbhati
+    hcaballe
+    hemartin
+    hguemar
+    hlin
+    hmariset
+    hongliu
+    jamato
+    jbieren
+    jburke
+    jcasey
+    jcullina
+    jengland
+    jeverett
+    jfischer
+    jgangi
+    jingwang
+    jinqi
+    jkopriva
+    jkubica
+    jlibrova
+    jluza
+    jmicanek
+    jorris
+    jostone
+    jpolonip
+    jreidy
+    jrokos
+    jsmid
+    jstuart
+    jsztuka
+    kalem
+    kaprokop
+    kelchen
+    kjeeyar
+    kkanova
+    klakshma
+    kpavic
+    kshirsal
+    ktkacik
+    lismith
+    liyu
+    lkolacek
+    lkrejci
+    llipka
+    lmendes
+    lucarval
+    luzhang
+    maherber
+    manferna
+    maniskum
+    manon
+    mbasti
+    mboy
+    mcada
+    meli
+    misjohns
+    mistonov
+    mkingsbu
+    mkosiarc
+    mlanska
+    mleonova
+    mmalina
+    mmehra
+    mmorhun
+    mpokorny
+    mrath
+    mshaposh
+    msikora
+    msoltis
+    mtichavs
+    nbehera
+    nhaklik
+    niyer
+    nmarsell
+    npotluri
+    oamsalem
+    oandriie
+    obetsun
+    ogondza
+    pacaramu
+    pacho
+    phchu
+    pkhander
+    pkumari
+    pmacik
+    prucek
+    pshivpuj
+    psrna
+    psturc
+    pszabo
+    qgong
+    qwan
+    rajkumar
+    rakshett
+    ralur
+    rbean
+    rcerven
+    rgalvao
+    rhopp
+    rlim
+    rnapoles
+    rnester
+    rrajashe
+    rsaar
+    rsevilla
+    ruhan
+    rycole
+    rzavrel
+    rzima
+    sabiswas
+    saviv
+    sbaird
+    sbudhwar
+    sconroy
+    sfathii
+    sfridman
+    sgirijan
+    sguarino
+    shebert
+    shshevac
+    sira
+    sjochman
+    skabashn
+    skoved
+    smatula
+    smikulas
+    somahesh
+    spentass
+    sselvan
+    sthangav
+    susdas
+    svatares
+    swickers
+    tbarrett
+    tbehal
+    tchandwa
+    tmadore
+    tnevrlka
+    valeksan
+    vdoubkov
+    vsokolen
+    wcheang
+    wguo
+    wlin
+    wrampazz
+    xjiang
+    xuliu
+    yherzog
+    yma
+    ynanavat
+    yuzheng
+    yzhu
+    zalsaffa
+    zxiong
+