fix(manifests): wire ambient-control-plane-rbac.yaml into mpp-openshift kustomization

[markturansky]

Summary

• ambient-control-plane-rbac.yaml already existed in the mpp-openshift overlay with the correct Role/RoleBinding granting the CP service account get/list/watch/create/delete on tenantnamespaces.tenant.paas.redhat.com in ambient-code--config
• The file was never listed in kustomization.yaml, so it was never applied — causing Forbidden errors when the MPPNamespaceProvisioner tried to manage TenantNamespace CRs
• Fix: add - ambient-control-plane-rbac.yaml to the resources: list

Root Cause

Error observed after PR #1162 merged:

tenantnamespaces.tenant.paas.redhat.com "test" is forbidden:
User "system:serviceaccount:ambient-code--ambient-s0:ambient-control-plane"
cannot get resource "tenantnamespaces" in API group "tenant.paas.redhat.com"
in the namespace "ambient-code--config"

Test plan

• Apply kustomize overlay to MPP cluster and confirm no Forbidden errors on tenantnamespaces operations
• CP pod logs should show successful project namespace provisioning

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated infrastructure configuration to include additional role-based access control settings for enhanced security management.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

A Kustomize overlay configuration for mpp-openshift was updated to include a new RBAC resource file reference without altering other configuration sections.

Changes

Cohort / File(s)	Summary
Kustomize Configuration components/manifests/overlays/mpp-openshift/kustomization.yaml	Added ambient-control-plane-rbac.yaml to the resources list.

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Kubernetes Resource Safety	❓ Inconclusive	Cannot execute shell commands to examine Kubernetes manifests and RBAC configurations in the repository.	Provide the actual content of kustomization.yaml and ambient-control-plane-rbac.yaml files to assess Kubernetes resource safety and RBAC permission concerns.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(manifests):) and accurately describes the main change: adding ambient-control-plane-rbac.yaml to the kustomization resources.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	Pull request modifies only a Kustomization YAML configuration file, adding a single resource reference with no algorithmic logic, loops, API calls, caching, pagination, or frontend impact.
Security And Secret Handling	✅ Passed	PR adds RBAC manifest reference with proper secret handling via Kubernetes Secrets; no credentials embedded.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cp-tenant-namespace-rbac

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/cp-tenant-namespace-rbac

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}