Add cross-namespace RBAC for integration-proxy to access tenant-agents pods (#103)

Copilot · phrocker · web-flow · commit 94353777676f · 2025-11-16T15:12:50.000-05:00
* Initial plan

* Add RBAC permissions for integration-proxy to access tenant-agents namespace

Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;

* Add documentation comments explaining cross-namespace RBAC setup

Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;
diff --git a/sentrius-chart/templates/integrationproxy-agents-role.yaml b/sentrius-chart/templates/integrationproxy-agents-role.yaml
@@ -0,0 +1,21 @@
+{{- /* 
+This Role grants the integration-proxy service account permissions to access pods and services
+in the ${TENANT}-agents namespace. This is required because the integration-proxy service
+(running in the ${TENANT} namespace) needs to list and monitor pods in both namespaces.
+
+The corresponding RoleBinding (integrationproxy-agents-rolebinding.yaml) binds the 
+service account from ${TENANT} namespace to this Role in ${TENANT}-agents namespace,
+enabling cross-namespace access.
+*/ -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-integrationproxy-agents-role
+  namespace: {{ .Values.tenant }}-agents
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
diff --git a/sentrius-chart/templates/integrationproxy-agents-rolebinding.yaml b/sentrius-chart/templates/integrationproxy-agents-rolebinding.yaml
@@ -0,0 +1,22 @@
+{{- /* 
+This RoleBinding grants the integration-proxy service account (from ${TENANT} namespace)
+access to the Role in the ${TENANT}-agents namespace. This enables cross-namespace access
+so the integration-proxy can list pods and services in both the main tenant namespace and
+the agents namespace.
+
+Note: The subjects.namespace field is required for cross-namespace RoleBindings to
+explicitly specify which namespace contains the ServiceAccount being granted permissions.
+*/ -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-integrationproxy-agents-binding
+  namespace: {{ .Values.tenant }}-agents
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-integrationproxy
+    namespace: {{ .Values.tenant }}
+roleRef:
+  kind: Role
+  name: {{ .Release.Name }}-integrationproxy-agents-role
+  apiGroup: rbac.authorization.k8s.io
