openshift · perdasilva · Apr 28, 2026
diff --git a/manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml b/manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml
@@ -0,0 +1,45 @@
+# RBAC required for the OpenShift Console to access the lifecycle-server API.
+#
+# The lifecycle-server authenticates callers via TokenReview and authorizes
+# them via SubjectAccessReview on nonResourceURLs. The console backend uses
+# its pod ServiceAccount token to authenticate, so that SA needs permission
+# to GET the lifecycle API paths.
+#
+# These resources should be managed by the console-operator. They are
+# provided here as a reference for development and testing.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:console:lifecycle-reader
+  annotations:
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    capability.openshift.io/name: Console
+rules:
+  - nonResourceURLs:
+      - "/api/*/lifecycles/*"
+    verbs:
+      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: console-lifecycle-reader
+  annotations:
+    release.openshift.io/feature-set: "TechPreviewNoUpgrade"
+    include.release.openshift.io/hypershift: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    capability.openshift.io/name: Console
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:console:lifecycle-reader
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console