fix: skip namespace check on cluster scoped rbac resources for auth reconcile

Signed-off-by: Christopher Coco <[email protected]>

Author: cjcocokrisp

gitops-engine/pkg/utils/kube/resource_ops.go

@@ -603,11 +603,14 @@ func (k *kubectlResourceOperations) authReconcile(ctx context.Context, obj *unst
 	if err != nil {
 		return "", fmt.Errorf("error creating kube client: %w", err)
 	}
+
+	clusterScoped := obj.GetKind() == "ClusterRole" || obj.GetKind() == "ClusterRoleBinding"
+
 	// `kubectl auth reconcile` has a side effect of auto-creating namespaces if it doesn't exist.
 	// See: https://github.com/kubernetes/kubernetes/issues/71185. This is behavior which we do
 	// not want. We need to check if the namespace exists, before know if it is safe to run this
 	// command. Skip this for dryRuns.
-	if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" {
+	if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" && !clusterScoped {
 		_, err = kubeClient.CoreV1().Namespaces().Get(ctx, obj.GetNamespace(), metav1.GetOptions{})
 		if err != nil {
 			return "", fmt.Errorf("error getting namespace %s: %w", obj.GetNamespace(), err)