chore: kyverno to assign roles to users from user group in dev/stg

Add a new policy that watches the konflux-support Group
and automatically creates/updates a ClusterRoleBinding with
individual User subjects.

This enables the namespace-lister service to grant access based
on users in the group.

This change reflects on dev and stg envs only

Signed-off-by: Omer Turner <[email protected]>

Author: Omeramsc

components/policies/development/konflux-rbac/konflux-support-nslister-access/.chainsaw-test/chainsaw-assert-clusterpolicy.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-konflux-support-nslister-clusterrolebinding
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+

components/policies/development/konflux-rbac/konflux-support-nslister-access/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,358 @@
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: verify-clusterpolicy-is-ready
+spec:
+  concurrent: false
+  description: |
+    Tests that the ClusterPolicy for generating konflux-support-nslister
+    ClusterRoleBinding is applied successfully and becomes Ready.
+  steps:
+    - name: given-kyverno-has-permission-on-resources
+      try:
+        - apply:
+            file: ../kyverno_rbac.yaml
+    - name: given-viewer-clusterrole-exists
+      try:
+        - apply:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: konflux-viewer-user-actions
+              rules: []
+    - name: given-group-crd-exists
+      try:
+        - apply:
+            file: resources/group-crd.yaml
+        - assert:
+            resource:
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: groups.user.openshift.io
+              status:
+                conditions:
+                - type: NamesAccepted
+                  status: "True"
+                - type: Established
+                  status: "True"
+    - name: Apply Kyverno ClusterPolicy and assert it exists
+      try:
+        - apply:
+            file: ../generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebinding-created-with-users
+spec:
+  concurrent: false
+  description: |
+    Tests that when a konflux-support Group is created with users,
+    a ClusterRoleBinding is generated with individual User subjects,
+    the correct label, and the konflux-viewer-user-actions ClusterRole.
+  steps:
+    - name: given-kyverno-has-permission-on-resources
+      try:
+        - apply:
+            file: ../kyverno_rbac.yaml
+    - name: given-viewer-clusterrole-exists
+      try:
+        - apply:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: konflux-viewer-user-actions
+              rules: []
+    - name: given-group-crd-exists
+      try:
+        - apply:
+            file: resources/group-crd.yaml
+        - assert:
+            resource:
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: groups.user.openshift.io
+              status:
+                conditions:
+                - type: NamesAccepted
+                  status: "True"
+                - type: Established
+                  status: "True"
+    - name: Apply Kyverno ClusterPolicy
+      try:
+        - apply:
+            file: ../generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+    - name: Create konflux-support Group with users
+      try:
+        - create:
+            file: ./resources/group-with-users.yaml
+    - name: Assert ClusterRoleBinding is created correctly
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+                labels:
+                  namespace-lister.konflux-ci.dev/use-for-access: 'true'
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: konflux-viewer-user-actions
+              subjects:
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: alice
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: bob
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: charlie
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebinding-updated-when-users-added
+spec:
+  concurrent: false
+  description: |
+    Tests that when users are added to the konflux-support Group,
+    the ClusterRoleBinding subjects are updated to include the new users.
+  steps:
+    - name: given-kyverno-has-permission-on-resources
+      try:
+        - apply:
+            file: ../kyverno_rbac.yaml
+    - name: given-viewer-clusterrole-exists
+      try:
+        - apply:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: konflux-viewer-user-actions
+              rules: []
+    - name: given-group-crd-exists
+      try:
+        - apply:
+            file: resources/group-crd.yaml
+        - assert:
+            resource:
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: groups.user.openshift.io
+              status:
+                conditions:
+                - type: NamesAccepted
+                  status: "True"
+                - type: Established
+                  status: "True"
+    - name: Apply Kyverno ClusterPolicy
+      try:
+        - apply:
+            file: ../generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+    - name: Create konflux-support Group with initial users
+      try:
+        - create:
+            file: ./resources/group-with-users.yaml
+    - name: Verify initial ClusterRoleBinding
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+    - name: Update Group with more users
+      try:
+        - apply:
+            file: ./resources/group-with-more-users.yaml
+    - name: Assert ClusterRoleBinding is updated with new users
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+                labels:
+                  namespace-lister.konflux-ci.dev/use-for-access: 'true'
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: konflux-viewer-user-actions
+              subjects:
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: alice
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: bob
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: charlie
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: david
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: eve
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebinding-updated-when-users-removed
+spec:
+  concurrent: false
+  description: |
+    Tests that when users are removed from the konflux-support Group,
+    the ClusterRoleBinding subjects are updated to remove those users.
+  steps:
+    - name: given-kyverno-has-permission-on-resources
+      try:
+        - apply:
+            file: ../kyverno_rbac.yaml
+    - name: given-viewer-clusterrole-exists
+      try:
+        - apply:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: konflux-viewer-user-actions
+              rules: []
+    - name: given-group-crd-exists
+      try:
+        - apply:
+            file: resources/group-crd.yaml
+        - assert:
+            resource:
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: groups.user.openshift.io
+              status:
+                conditions:
+                - type: NamesAccepted
+                  status: "True"
+                - type: Established
+                  status: "True"
+    - name: Apply Kyverno ClusterPolicy
+      try:
+        - apply:
+            file: ../generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+    - name: Create konflux-support Group with multiple users
+      try:
+        - create:
+            file: ./resources/group-with-users.yaml
+    - name: Verify initial ClusterRoleBinding
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+    - name: Update Group with fewer users
+      try:
+        - apply:
+            file: ./resources/group-with-fewer-users.yaml
+    - name: Assert ClusterRoleBinding is updated with fewer users
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+                labels:
+                  namespace-lister.konflux-ci.dev/use-for-access: 'true'
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: konflux-viewer-user-actions
+              subjects:
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: User
+                  name: alice
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebinding-with-empty-group
+spec:
+  concurrent: false
+  description: |
+    Tests that when the konflux-support Group has no users,
+    the ClusterRoleBinding is still created but with empty subjects.
+  steps:
+    - name: given-kyverno-has-permission-on-resources
+      try:
+        - apply:
+            file: ../kyverno_rbac.yaml
+    - name: given-viewer-clusterrole-exists
+      try:
+        - apply:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                name: konflux-viewer-user-actions
+              rules: []
+    - name: given-group-crd-exists
+      try:
+        - apply:
+            file: resources/group-crd.yaml
+        - assert:
+            resource:
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: groups.user.openshift.io
+              status:
+                conditions:
+                - type: NamesAccepted
+                  status: "True"
+                - type: Established
+                  status: "True"
+    - name: Apply Kyverno ClusterPolicy
+      try:
+        - apply:
+            file: ../generate-support-nslister-clusterrolebinding-clusterpolicy.yaml
+        - assert:
+            file: chainsaw-assert-clusterpolicy.yaml
+    - name: Create konflux-support Group with no users
+      try:
+        - create:
+            file: ./resources/group-empty.yaml
+    - name: Assert ClusterRoleBinding exists with correct metadata
+      try:
+        - assert:
+            resource:
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                name: konflux-support-nslister
+                labels:
+                  namespace-lister.konflux-ci.dev/use-for-access: 'true'
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: konflux-viewer-user-actions
+

components/policies/development/konflux-rbac/konflux-support-nslister-access/.chainsaw-test/resources/group-crd.yaml

@@ -0,0 +1,27 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: groups.user.openshift.io
+spec:
+  group: user.openshift.io
+  names:
+    kind: Group
+    listKind: GroupList
+    plural: groups
+    singular: group
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        required:
+        - users
+        properties:
+          users:
+            type: array
+            items:
+              type: string
+