refactor: simplify RBAC structure and fix bundle multi-namespace support #151

yalzhang · 2026-01-13T09:27:48Z

Commit da9a383 added base/overlays structure for multi-namespace support but only worked for direct install. This simplifies the structure and fixes bundle installations.

Changes:

Flatten RBAC: config/rbac/base/* → config/rbac/
Remove overlays (both platforms now use same RBAC)
Move SCC to config/openshift/scc.yaml with placeholders
Add metrics-auth to CSV clusterPermissions for OLM hash-based naming
Remove hardcoded namespaces from RoleBindings (OLM auto-injects)
Template kind/*.yaml services with placeholders
Use sed substitution for SCC and port-forward services

Multi-namespace now works for both direct install and OLM bundle by:

OLM creating unique ClusterRole/ClusterRoleBinding names per namespace
Each namespace getting its own SCC via sed substitution
No resource conflicts between operator instances

yalzhang · 2026-01-13T10:03:04Z

/retest

yalzhang · 2026-01-13T11:12:52Z

/retest

yalzhang · 2026-01-13T11:23:47Z

/test operator-lifecycle-verify

yalzhang · 2026-01-14T05:28:43Z

Tested manually and the result is as expected:

Integration test pass

Kind + direct, multi-ns, vm boot pass

Kind + bundle, multi-ns, vm boot pass

Openshift+direct, multi-ns, vm boot pass

Openshift+bundle, multi-ns, vm boot pass

Jakob-Naucke · 2026-01-14T09:14:52Z

config/rbac/kustomization.yaml.in

Could kustomization.yaml also use the sed | kubectl apply pattern so the worktree remains clean (cf. #124)?

I looked into it, and it seems that for kubectl apply -k we cannot read kustomization.yaml from stdin, so using sed | kubectl apply -k - is not possible.

Since the patches for the ClusterRoleBindings need to be defined inside kustomization.yaml, we still need the file in a directory. To keep the worktree clean, we could either use a temporary directory or restore the file after applying, but the current approach using yq -i works correctly and is simpler.

Then I'm in favour of having a kustomization.yaml.in file that yq reads from and creates kustomization.yaml out-of-place. kustomization.yaml should then be git-ignored.

Updated, Thanks

README.md

Commit da9a383 added base/overlays structure for multi-namespace support but only worked for direct install. This simplifies the structure and fixes bundle installations. Changes: - Flatten RBAC: config/rbac/base/* → config/rbac/ - Remove overlays (both platforms now use same RBAC) - Move SCC to config/openshift/scc.yaml with <NAMESPACE> placeholders - Add metrics-auth to CSV clusterPermissions for OLM hash-based naming - Remove hardcoded namespaces from RoleBindings (OLM auto-injects) - Template kind/*.yaml services with <NAMESPACE> placeholders - Use sed substitution for SCC and port-forward services - Convert kustomization.yaml → kustomization.yaml.in template with NAMESPACE placeholders - Replace 3 yq commands with single sed substitution in Makefile - Add /config/rbac/kustomization.yaml to .gitignore (now generated file) Multi-namespace now works for both direct install and OLM bundle by: - OLM creating unique ClusterRole/ClusterRoleBinding names per namespace - Each namespace getting its own SCC via sed substitution - No resource conflicts between operator instances Signed-off-by: Yalan Zhang <[email protected]>

Jakob-Naucke · 2026-01-14T17:17:20Z

@yalzhang I think this requires updates post #124:

ERRO[0000] Error: Value trusted-execution-clusters.io/v1alpha1, Kind=AttestationKey: CRD "trusted-execution-clusters.io/v1alpha1, Kind=AttestationKey" is present in bundle "trusted-cluster-operator.v0.1.0" but not defined in CSV

Update bundle to include the attestation-key-register service and AttestationKey CRD introduced in commit 2ea74dc. - Add attestation-key-register to CSV relatedImages and alm-examples - Update bundle generation script to handle ATTESTATION_KEY_REGISTER_IMAGE - Add AttestationKey RBAC viewer and admin roles - Update README with new component documentation Signed-off-by: Yalan Zhang <[email protected]>

openshift-ci · 2026-01-16T01:54:13Z

@yalzhang: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/infra-provision-verify	`36f395a`	link	true	`/test infra-provision-verify`
ci/prow/operator-lifecycle-verify	`36f395a`	link	true	`/test operator-lifecycle-verify`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci · 2026-01-16T08:51:19Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alicefr, Jakob-Naucke, yalzhang

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

yalzhang force-pushed the bundle_remove_namespace branch from c9df602 to b43eab0 Compare January 13, 2026 09:35

Jakob-Naucke reviewed Jan 14, 2026

View reviewed changes

alicefr approved these changes Jan 14, 2026

View reviewed changes

openshift-ci bot assigned alicefr Jan 14, 2026

openshift-ci bot added the lgtm label Jan 14, 2026

yalzhang force-pushed the bundle_remove_namespace branch from b43eab0 to 4d44185 Compare January 14, 2026 11:21

openshift-ci bot removed the lgtm label Jan 14, 2026

yalzhang force-pushed the bundle_remove_namespace branch 2 times, most recently from 9bbc232 to f0d28b7 Compare January 14, 2026 13:21

openshift-merge-robot added the needs-rebase label Jan 14, 2026

yalzhang force-pushed the bundle_remove_namespace branch from f0d28b7 to e9f98a8 Compare January 14, 2026 13:40

openshift-merge-robot removed the needs-rebase label Jan 14, 2026

yalzhang force-pushed the bundle_remove_namespace branch from ae1fd61 to 799fdcd Compare January 16, 2026 01:14

yalzhang force-pushed the bundle_remove_namespace branch from 799fdcd to 36f395a Compare January 16, 2026 01:51

Jakob-Naucke approved these changes Jan 16, 2026

View reviewed changes

openshift-ci bot assigned Jakob-Naucke Jan 16, 2026

openshift-ci bot added the lgtm label Jan 16, 2026

Jakob-Naucke merged commit c0463d7 into trusted-execution-clusters:main Jan 16, 2026
8 of 10 checks passed

refactor: simplify RBAC structure and fix bundle multi-namespace support #151

refactor: simplify RBAC structure and fix bundle multi-namespace support #151

Uh oh!

Conversation

yalzhang commented Jan 13, 2026

Uh oh!

yalzhang commented Jan 13, 2026

Uh oh!

yalzhang commented Jan 13, 2026

Uh oh!

yalzhang commented Jan 13, 2026

Uh oh!

yalzhang commented Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Jakob-Naucke Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

yalzhang Jan 14, 2026

Choose a reason for hiding this comment

Uh oh!

Jakob-Naucke Jan 14, 2026

Choose a reason for hiding this comment

Uh oh!

yalzhang Jan 14, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Jakob-Naucke commented Jan 14, 2026

Uh oh!

openshift-ci bot commented Jan 16, 2026

Uh oh!

openshift-ci bot commented Jan 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

yalzhang commented Jan 14, 2026 •

edited

Loading

Jakob-Naucke Jan 14, 2026 •

edited

Loading