Summary
Users bound to the org datum-cloud-viewer role get 403 on trafficprotectionpolicies.networking.datumapis.com but 200 on httpproxies when loading the AI Edge listing in cloud-portal. Both permissions originate from the same gateway-viewer role via the same inheritance chain, so this is a live-state/deployment drift issue, not a source-config bug.
Investigation (source is correct)
Inheritance chain, all present in source:
datum-cloud-viewer (datum: config/assignable-organization-roles/roles/datum-cloud-viewer.yaml)
└─ networking.datumapis.com-viewer (NSO: config/iam/roles/networking-viewer.yaml)
└─ networking.datumapis.com-gateway-viewer (NSO: config/iam/roles/gateway-viewer.yaml)
├─ httpproxies.{list,get,watch} ← since v0.3.0 (commit 3163220)
└─ trafficprotectionpolicies.{list,get,watch} ← since v0.9.0 (commit b19af94)
- Deployed to
milo-system via Flux core-control-plane-resources (infra: apps/network-services-operator/control-plane/base/core-control-plane-resources.yaml), sourced from OCIRepository network-services-operator-kustomize, component ../iam.
- That OCIRepository tracks latest in base/staging/production (no old
tag: pin anywhere in infra).
The httpproxies-✓ / WAF-✗ window maps exactly to a deployed gateway-viewer revision in [v0.3.0, v0.9.0).
Likely cause
Live gateway-viewer Role in milo-system is stale vs. the tracked bundle — Flux hasn't reconciled, is failing, or resolved a stale OCI artifact.
Verification / remediation
kubectl get role networking.datumapis.com-gateway-viewer -n milo-system -o yaml | grep trafficprotection
# if missing:
flux reconcile source oci network-services-operator-kustomize -n <flux-ns>
flux reconcile kustomization core-control-plane-resources -n <flux-ns>
# also inspect: flux get kustomization core-control-plane-resources (apply errors + resolved digest)
Affected org observed: organization-asdasd-2zxpqq (identify env: prod/staging/preview).
Related work (cloud-portal, already fixed on feat/rbac-ai-edge)
http-proxy.service.ts fetchList: WAF policy list wrapped in .catch so a trafficprotectionpolicies 403 no longer hard-fails the whole AI Edge list.edge/index.tsx: added trafficprotectionpolicies:list check → Protection column shows "—" + tooltip instead of a misleading "Disabled".
Optional follow-up (robustness, not a fix)
Consider having datum-cloud-viewer inherit gateway-viewer directly (shorter chain). Won't resolve the 403 if the deployed role is stale.
Summary
Users bound to the org
datum-cloud-viewerrole get 403 ontrafficprotectionpolicies.networking.datumapis.combut 200 onhttpproxieswhen loading the AI Edge listing in cloud-portal. Both permissions originate from the samegateway-viewerrole via the same inheritance chain, so this is a live-state/deployment drift issue, not a source-config bug.Investigation (source is correct)
Inheritance chain, all present in source:
milo-systemvia Fluxcore-control-plane-resources(infra:apps/network-services-operator/control-plane/base/core-control-plane-resources.yaml), sourced from OCIRepositorynetwork-services-operator-kustomize, component../iam.tag:pin anywhere in infra).The httpproxies-✓ / WAF-✗ window maps exactly to a deployed
gateway-viewerrevision in [v0.3.0, v0.9.0).Likely cause
Live
gateway-viewerRole inmilo-systemis stale vs. the tracked bundle — Flux hasn't reconciled, is failing, or resolved a stale OCI artifact.Verification / remediation
Affected org observed:
organization-asdasd-2zxpqq(identify env: prod/staging/preview).Related work (cloud-portal, already fixed on
feat/rbac-ai-edge)http-proxy.service.tsfetchList: WAF policy list wrapped in.catchso atrafficprotectionpolicies403 no longer hard-fails the whole AI Edge list.edge/index.tsx: addedtrafficprotectionpolicies:listcheck → Protection column shows "—" + tooltip instead of a misleading "Disabled".Optional follow-up (robustness, not a fix)
Consider having
datum-cloud-viewerinheritgateway-viewerdirectly (shorter chain). Won't resolve the 403 if the deployed role is stale.