From 58da58fcd6b90deb4dd85dc8bf82eb70c98ad546 Mon Sep 17 00:00:00 2001
From: "Per G. da Silva" <pegoncal@redhat.com>
Date: Tue, 28 Apr 2026 11:11:07 +0200
Subject: [PATCH] Add RBAC manifest for lifecycle-server API access

Add a ClusterRole and ClusterRoleBinding that grant the console
ServiceAccount read access to the lifecycle-server nonResourceURL
paths (/api/*/lifecycles/*).

The lifecycle-server authenticates callers via TokenReview and
authorizes them via SubjectAccessReview on nonResourceURLs. These
RBAC resources allow the console backend to call the lifecycle API
using its pod ServiceAccount token.

The manifest is gated behind TechPreviewNoUpgrade and scoped to the
Console capability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...onsole-user-operator-lifecycle-reader.yaml | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml

diff --git a/manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml b/manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml
new file mode 100644
index 000000000..3db49ec69
--- /dev/null
+++ b/manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml
@@ -0,0 +1,45 @@
+# RBAC required for the OpenShift Console to access the lifecycle-server API.
+#
+# The lifecycle-server authenticates callers via TokenReview and authorizes
+# them via SubjectAccessReview on nonResourceURLs. The console backend uses
+# its pod ServiceAccount token to authenticate, so that SA needs permission
+# to GET the lifecycle API paths.
+#
+# These resources should be managed by the console-operator. They are
+# provided here as a reference for development and testing.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:console:lifecycle-reader
+  annotations:
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    capability.openshift.io/name: Console
+rules:
+  - nonResourceURLs:
+      - "/api/*/lifecycles/*"
+    verbs:
+      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: console-lifecycle-reader
+  annotations:
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    capability.openshift.io/name: Console
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:console:lifecycle-reader
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console