proposal: Restricted CRDs with RBACPolicy for Multi-Tenant RBAC by MaxRink · Pull Request #56 · telekom/auth-operator

MaxRink · 2026-02-08T01:14:43Z

Summary

This proposal introduces Restricted CRD variants for tenant use with policy limits managed separately by platform administrators via a new RBACPolicy CRD.

Key Features

New CRDs

RestrictedRoleDefinition - Tenant-managed roles within policy guardrails
RestrictedBindDefinition - Tenant-managed bindings within policy guardrails
RBACPolicy - Platform admin-managed policy limits (alternatives: TenantRBACConstraint, RBACBoundary, RBACGuardrail)

Security Model

Explicit policy binding - Resources must reference their governing policy via rbacPolicyRef
Continuous enforcement - Validate on every reconcile, deprovision on violation
Impersonation-based enforcement - Operator can impersonate tenant-specific SA for defense-in-depth
RBAC escalation prevention - Users can't grant more than they have
Full audit trail - Track creator/modifier with timestamps

Design Principles

Standard K8s selectors - matchLabels, matchExpressions (In, NotIn, Exists, DoesNotExist)
Simple wildcards for names - prefix*, *suffix - NO regex
BindDefinition integration - Use existing BindDef to provision SAs that RBACPolicy references

Use Cases

ServiceAccount-only tenants - Restrict to SA subjects (no User/Group)
Cross-namespace operator access - Allow operators to bind in tenant namespaces
Compliance requirements - Enforce audit annotations, restrict admin groups
CI/CD pipelines - Limit CI SAs to CI namespaces
Impersonation-based least privilege - Three-layer protection model

Implementation Options

Option 1: Built-in admission webhooks (recommended)
Option 2: Kyverno policies (external dependency)
Option 3: OPA/Gatekeeper integration

Files

docs/proposals/restricted-crds-with-rbac-policy.md

Discussion Points

Naming: RBACPolicy vs alternatives
Should impersonation SA be auto-created or require pre-provisioning?
Kyverno vs built-in webhooks for policy enforcement
Scope: Start with RestrictedBindDefinition only, add RestrictedRoleDefinition later?

Copilot

Pull request overview

Adds a design proposal to extend the auth-operator with tenant-facing “Restricted” CRDs governed by an admin-managed RBACPolicy CRD, aiming to enable self-service RBAC while preventing privilege escalation in multi-tenant clusters.

Changes:

Introduces a comprehensive proposal for RBACPolicy, RestrictedRoleDefinition, and RestrictedBindDefinition.
Describes enforcement mechanisms (admission webhook vs Kyverno), continuous reconcile-time validation, and deprovisioning on policy violations.
Documents selector semantics, mirroring behavior, and an impersonation-based defense-in-depth model.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

REUSE.toml

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

- Fix YAML indentation: environment field now properly nested under matchLabels - Standardize prefix matching: remove '*' from forbiddenNamespacePrefixes values (field name implies prefix match, no wildcard needed) - Fix v.client -> v.Client capitalization for exported struct field - Fix audit annotations: use admission.Response.AuditAnnotations instead of mutating object in validating webhook (validating webhooks cannot mutate) - Remove validateMirroringLimits from RestrictedBindDefinition validator (mirroring is a RoleDefinition concern, not BindDefinition) - Fix targetNamespaceLimits schema location: wrap under spec.bindingLimits to match the main CRD schema definition

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 17 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

github-actions · 2026-02-24T12:54:47Z

📊 Output Delta Report

Generated RBAC resources from config/samples/ compared across branches.

Prometheus Metrics (PR branch)

📈 auth_operator_* metrics

auth_operator_api_discovery_duration_seconds_bucket{le="+Inf"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.005"} 0
auth_operator_api_discovery_duration_seconds_bucket{le="0.01"} 0
auth_operator_api_discovery_duration_seconds_bucket{le="0.025"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.05"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.1"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.25"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="0.5"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="1"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="10"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="2.5"} 1
auth_operator_api_discovery_duration_seconds_bucket{le="5"} 1
auth_operator_api_discovery_duration_seconds_count 1
auth_operator_api_discovery_duration_seconds_sum 0.020004648
auth_operator_api_discovery_errors_total 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-cluster-only"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-complex-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-default-ns-test"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-disjoint-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-generated-sa"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-missing-clusterrole"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-missing-role"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-mixed-refs"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-preexisting-sa"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-generated-sa-b"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-sa-consumer-a"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-edge-shared-sa-consumer-b"} 1
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-gitops-controllers"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-mixed-binding-types"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-monitoring-stack"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-namespace-only"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-overlapping-selectors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-platform-admins"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-readonly-ui"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-security-auditors"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-tenant-alpha-team"} 0
auth_operator_external_serviceaccounts_referenced{binddefinition="bd-tenant-beta-team"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-cluster-only",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="RoleBinding"} 21
auth_operator_managed_resources{controller="BindDefinition",name="bd-complex-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-default-ns-test",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="RoleBinding"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-disjoint-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-generated-sa",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-clusterrole",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-missing-role",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="ClusterRoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="RoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-mixed-refs",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-role",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-preexisting-sa",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-a",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-generated-sa-b",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-a",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="RoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-edge-shared-sa-consumer-b",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="RoleBinding"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-gitops-controllers",resource_type="ServiceAccount"} 6
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="RoleBinding"} 24
auth_operator_managed_resources{controller="BindDefinition",name="bd-mixed-binding-types",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-monitoring-stack",resource_type="ServiceAccount"} 5
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="RoleBinding"} 4
auth_operator_managed_resources{controller="BindDefinition",name="bd-namespace-only",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="RoleBinding"} 5
auth_operator_managed_resources{controller="BindDefinition",name="bd-overlapping-selectors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="RoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-platform-admins",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="ClusterRoleBinding"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="RoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-readonly-ui",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="ClusterRoleBinding"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="RoleBinding"} 14
auth_operator_managed_resources{controller="BindDefinition",name="bd-security-auditors",resource_type="ServiceAccount"} 0
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="ClusterRoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="RoleBinding"} 20
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-alpha-team",resource_type="ServiceAccount"} 1
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="ClusterRoleBinding"} 3
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="RoleBinding"} 2
auth_operator_managed_resources{controller="BindDefinition",name="bd-tenant-beta-team",resource_type="ServiceAccount"} 1
auth_operator_namespaces_active{binddefinition="bd-cluster-only"} 0
auth_operator_namespaces_active{binddefinition="bd-complex-selectors"} 7
auth_operator_namespaces_active{binddefinition="bd-default-ns-test"} 2
auth_operator_namespaces_active{binddefinition="bd-disjoint-selectors"} 6
auth_operator_namespaces_active{binddefinition="bd-edge-generated-sa"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-missing-clusterrole"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-missing-role"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-mixed-refs"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-preexisting-sa"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-generated-sa-b"} 1
auth_operator_namespaces_active{binddefinition="bd-edge-shared-sa-consumer-a"} 0
auth_operator_namespaces_active{binddefinition="bd-edge-shared-sa-consumer-b"} 0
auth_operator_namespaces_active{binddefinition="bd-gitops-controllers"} 2
auth_operator_namespaces_active{binddefinition="bd-mixed-binding-types"} 6
auth_operator_namespaces_active{binddefinition="bd-monitoring-stack"} 2
auth_operator_namespaces_active{binddefinition="bd-namespace-only"} 2
auth_operator_namespaces_active{binddefinition="bd-overlapping-selectors"} 5
auth_operator_namespaces_active{binddefinition="bd-platform-admins"} 3
auth_operator_namespaces_active{binddefinition="bd-readonly-ui"} 1
auth_operator_namespaces_active{binddefinition="bd-security-auditors"} 7
auth_operator_namespaces_active{binddefinition="bd-tenant-alpha-team"} 4
auth_operator_namespaces_active{binddefinition="bd-tenant-beta-team"} 1
auth_operator_rbac_resources_applied_total{resource_type="ClusterRole"} 10
auth_operator_rbac_resources_applied_total{resource_type="ClusterRoleBinding"} 76
auth_operator_rbac_resources_applied_total{resource_type="Role"} 8
auth_operator_rbac_resources_applied_total{resource_type="RoleBinding"} 199
auth_operator_rbac_resources_applied_total{resource_type="ServiceAccount"} 62
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="+Inf"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.005"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.01"} 2
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.025"} 6
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.05"} 15
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.1"} 34
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.25"} 59
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="0.5"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="1"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="10"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="2.5"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="BindDefinition",le="5"} 67
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="+Inf"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.005"} 74
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.01"} 80
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.025"} 118
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.05"} 132
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.1"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.25"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="0.5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="1"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="10"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="2.5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleBindingTerminator",le="5"} 135
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="+Inf"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.005"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.01"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.025"} 0
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.05"} 1
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.1"} 10
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.25"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="0.5"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="1"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="10"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="2.5"} 18
auth_operator_reconcile_duration_seconds_bucket{controller="RoleDefinition",le="5"} 18
auth_operator_reconcile_duration_seconds_count{controller="BindDefinition"} 67
auth_operator_reconcile_duration_seconds_count{controller="RoleBindingTerminator"} 135
auth_operator_reconcile_duration_seconds_count{controller="RoleDefinition"} 18
auth_operator_reconcile_duration_seconds_sum{controller="BindDefinition"} 8.841528756
auth_operator_reconcile_duration_seconds_sum{controller="RoleBindingTerminator"} 1.429492562
auth_operator_reconcile_duration_seconds_sum{controller="RoleDefinition"} 2.054126663
auth_operator_reconcile_total{controller="BindDefinition",result="degraded"} 32
auth_operator_reconcile_total{controller="BindDefinition",result="success"} 35
auth_operator_reconcile_total{controller="RoleBindingTerminator",result="skipped"} 13
auth_operator_reconcile_total{controller="RoleBindingTerminator",result="success"} 122
auth_operator_reconcile_total{controller="RoleDefinition",result="success"} 18
auth_operator_role_refs_missing{binddefinition="bd-cluster-only"} 1
auth_operator_role_refs_missing{binddefinition="bd-complex-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-default-ns-test"} 0
auth_operator_role_refs_missing{binddefinition="bd-disjoint-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-generated-sa"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-missing-clusterrole"} 1
auth_operator_role_refs_missing{binddefinition="bd-edge-missing-role"} 1
auth_operator_role_refs_missing{binddefinition="bd-edge-mixed-refs"} 3
auth_operator_role_refs_missing{binddefinition="bd-edge-preexisting-role"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-preexisting-sa"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-generated-sa-a"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-generated-sa-b"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-sa-consumer-a"} 0
auth_operator_role_refs_missing{binddefinition="bd-edge-shared-sa-consumer-b"} 1
auth_operator_role_refs_missing{binddefinition="bd-gitops-controllers"} 0
auth_operator_role_refs_missing{binddefinition="bd-mixed-binding-types"} 5
auth_operator_role_refs_missing{binddefinition="bd-monitoring-stack"} 0
auth_operator_role_refs_missing{binddefinition="bd-namespace-only"} 2
auth_operator_role_refs_missing{binddefinition="bd-overlapping-selectors"} 0
auth_operator_role_refs_missing{binddefinition="bd-platform-admins"} 0
auth_operator_role_refs_missing{binddefinition="bd-readonly-ui"} 0
auth_operator_role_refs_missing{binddefinition="bd-security-auditors"} 7
auth_operator_role_refs_missing{binddefinition="bd-tenant-alpha-team"} 7
auth_operator_role_refs_missing{binddefinition="bd-tenant-beta-team"} 0
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-preexisting-sa"} 2
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-shared-sa-consumer-a"} 2
auth_operator_serviceaccount_skipped_preexisting_total{binddefinition="bd-edge-shared-sa-consumer-b"} 2

⚠️ Controller Logs

Errors/Warnings Found in Logs (click to expand)

Error Summary from Controller Logs

Warning/Error Events (ALL)

default                2m8s        Warning   RoleRefNotFound             binddefinition/bd-platform-admins                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-platform-admin-reader ClusterRole/t-caas-tenant-operator]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                           2m8s         1       bd-platform-admins.18972fd0dadeada6
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   4m11s        1       bd-cluster-only.18972fb440f026a5
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   4m11s        1       bd-cluster-only.18972fb441e7fd6c
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   2m9s         1       bd-cluster-only.18972fd0b7c903c7
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   2m9s         2       bd-cluster-only.18972fd0b88955fe
default                9s          Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   9s           1       bd-cluster-only.18972fecba42c59b
default                9s          Warning   RoleRefNotFound             binddefinition/bd-cluster-only                                                                    BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   9s           2       bd-cluster-only.18972fecbaebb78c
default                4m2s        Warning   Deletion                    binddefinition/bd-complex-selectors                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/complex-selector-test-view-binding in namespace tenant-alpha-prod                                                                                                                                                                                                                                                                                                                                                                                                                                                4m2s         2       bd-complex-selectors.18972fb663b02f4f
default                2m          Warning   Deletion                    binddefinition/bd-complex-selectors                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/complex-selector-test-view-binding in namespace tenant-alpha-staging                                                                                                                                                                                                                                                                                                                                                                                                                                             2m           2       bd-complex-selectors.18972fd2ddb7c51c
default                4m2s        Warning   Deletion                    binddefinition/bd-default-ns-test                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/default-ns-test-view-binding in namespace default                                                                                                                                                                                                                                                                                                                                                                                                                                                                4m2s         2       bd-default-ns-test.18972fb665672e0b
default                2m          Warning   Deletion                    binddefinition/bd-default-ns-test                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/default-ns-test-view-binding in namespace default                                                                                                                                                                                                                                                                                                                                                                                                                                                                2m           2       bd-default-ns-test.18972fd2ded74f4b
default                4m2s        Warning   Deletion                    binddefinition/bd-disjoint-selectors                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/disjoint-selector-test-view-binding in namespace argocd                                                                                                                                                                                                                                                                                                                                                                                                                                                          4m2s         2       bd-disjoint-selectors.18972fb66462560e
default                2m          Warning   Deletion                    binddefinition/bd-disjoint-selectors                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/disjoint-selector-test-view-binding in namespace flux-system                                                                                                                                                                                                                                                                                                                                                                                                                                                     2m           2       bd-disjoint-selectors.18972fd2deec678b
default                4m2s        Warning   Deletion                    binddefinition/bd-edge-generated-sa                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/edge-generated-sa-edit-binding in namespace tenant-beta                                                                                                                                                                                                                                                                                                                                                                                                                                                          4m2s         1       bd-edge-generated-sa.18972fb6667d1c93
default                2m          Warning   Deletion                    binddefinition/bd-edge-generated-sa                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/edge-generated-sa-edit-binding in namespace tenant-beta                                                                                                                                                                                                                                                                                                                                                                                                                                                          2m           1       bd-edge-generated-sa.18972fd2e183d6b0
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                  4m11s        2       bd-edge-missing-clusterrole.18972fb44b0c5efb
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                  4m11s        1       bd-edge-missing-clusterrole.18972fb44fc6de78
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                  2m9s         1       bd-edge-missing-clusterrole.18972fd0c0bd3168
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                  2m9s         1       bd-edge-missing-clusterrole.18972fd0c29e4d02
default                9s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-clusterrole                                                        BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/nonexistent-cluster-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                  9s           1       bd-edge-missing-clusterrole.18972fecc56d6f3c
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    4m11s        1       bd-edge-missing-role.18972fb44ba4902a
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    4m11s        2       bd-edge-missing-role.18972fb44e8f254b
default                4m2s        Warning   Deletion                    binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/edge-missing-role-nonexistent-role-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                             4m2s         1       bd-edge-missing-role.18972fb666eb2b2f
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    2m9s         1       bd-edge-missing-role.18972fd0c28296cd
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    2m9s         1       bd-edge-missing-role.18972fd0c434b30e
default                2m          Warning   Deletion                    binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/edge-missing-role-nonexistent-role-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                             2m           1       bd-edge-missing-role.18972fd2e15266d9
default                9s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    9s           1       bd-edge-missing-role.18972fecc4be6858
default                8s          Warning   RoleRefNotFound             binddefinition/bd-edge-missing-role                                                               BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [Role/tenant-alpha/nonexistent-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                    9s           2       bd-edge-missing-role.18972fecc78c046a
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         4m11s        1       bd-edge-mixed-refs.18972fb44d2877f6
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         4m11s        1       bd-edge-mixed-refs.18972fb458ab350a
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         4m11s        1       bd-edge-mixed-refs.18972fb45f778f54
default                4m2s        Warning   Deletion                    binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/edge-mixed-refs-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                                           4m2s         2       bd-edge-mixed-refs.18972fb669c500d1
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         2m9s         1       bd-edge-mixed-refs.18972fd0c39ba86e
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         2m9s         1       bd-edge-mixed-refs.18972fd0cb03ffe9
default                2m          Warning   Deletion                    binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/edge-mixed-refs-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                                           2m           2       bd-edge-mixed-refs.18972fd2e6174775
default                9s          Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         9s           1       bd-edge-mixed-refs.18972fecc6815ff3
default                8s          Warning   RoleRefNotFound             binddefinition/bd-edge-mixed-refs                                                                 BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/phantom-cluster-role ClusterRole/t-caas-security-auditor Role/tenant-alpha/phantom-namespace-role]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                         8s           1       bd-edge-mixed-refs.18972feccd537c2e
default                4m2s        Warning   Deletion                    binddefinition/bd-edge-shared-generated-sa-b                                                      BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/edge-shared-gen-b-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                                         4m2s         1       bd-edge-shared-generated-sa-b.18972fb66e1ebb1f
default                2m          Warning   Deletion                    binddefinition/bd-edge-shared-generated-sa-b                                                      BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/edge-shared-gen-b-edit-binding in namespace tenant-alpha                                                                                                                                                                                                                                                                                                                                                                                                                                                         2m           1       bd-edge-shared-generated-sa-b.18972fd2e6456b86
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   4m11s        1       bd-edge-shared-sa-consumer-b.18972fb45871e7e0
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   4m11s        1       bd-edge-shared-sa-consumer-b.18972fb45bdb1d33
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   2m9s         1       bd-edge-shared-sa-consumer-b.18972fd0ca25d0ee
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   2m9s         1       bd-edge-shared-sa-consumer-b.18972fd0cce4c9e9
default                8s          Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   8s           1       bd-edge-shared-sa-consumer-b.18972feccfe9e501
default                8s          Warning   RoleRefNotFound             binddefinition/bd-edge-shared-sa-consumer-b                                                       BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-bcf8f94f4-qb2bw    Referenced roles not found: [ClusterRole/t-caas-security-auditor]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                                                                                                                                                                                                                                                                                                   8s           1       bd-edge-shared-sa-consumer-b.18972fecd69b330c
default                4m2s        Warning   Deletion                    binddefinition/bd-gitops-controllers                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/gitops-controllers-admin-binding in namespace argocd                                                                                                                                                                                                                                                                                                                                                                                                                                                             4m2s         2       bd-gitops-controllers.18972fb6828ee206
default                119s        Warning   Deletion                    binddefinition/bd-gitops-controllers                                                              BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Deleting target resource RoleBinding/gitops-controllers-admin-binding in namespace argocd                                                                                                                                                                                                                                                                                                                                                                                                                                                             119s         2       bd-gitops-controllers.18972fd2f89d3580
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                             BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/default/t-caas-namespace-viewer Role/shared-services/t-caas-namespace-viewer Role/tenant-alpha-cicd/t-caas-namespace-viewer Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-alpha/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                             4m11s        1       bd-mixed-binding-types.18972fb45b4d6d2e
default                4m11s       Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                             BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/default/t-caas-namespace-viewer Role/shared-services/t-caas-namespace-viewer Role/tenant-alpha-cicd/t-caas-namespace-viewer Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-alpha/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]. Bindings will be created but ineffective until roles exist. Will requeue in 10s.                                                                                                                             4m11s        1       bd-mixed-binding-types.18972fb4654328e7
default                4m2s        Warning   Deletion                    binddefinition/bd-mixed-binding-types                                                             BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-6b5b7b6855-bcl92   Deleting target resource RoleBinding/mixed-binding-test-edit-binding in namespace tenant-alpha-cicd                                                                                                                                                                                                                                                                                                                                                                                                                                                   4m2s         2       bd-mixed-binding-types.18972fb6778b67d1
default                2m9s        Warning   RoleRefNotFound             binddefinition/bd-mixed-binding-types                                                             BindDefinitionReconciler, BindDefinitionReconciler-auth-operator-controller-manager-766f6666d6-nwwkq   Referenced roles not found: [ClusterRole/t-caas-security-auditor Role/default/t-caas-namespace-viewer Role/shared-services/t-caas-namespace-viewer Role/tenant-alpha-cicd/t-caas-namespace-viewer Role/tenant-alpha-staging/t-caas-namespace-viewer Role/te
... (truncated, 158972 chars total — see uploaded artifacts for full diff)

github-actions · 2026-02-24T12:54:48Z

📊 Output Delta Report (cont.)

📦 BindDefinitions Status

Changes from main

--- /tmp/main-output/binddefinitions-status.yaml	2026-02-24 12:50:35.102933346 +0000
+++ /tmp/pr-output/binddefinitions-status.yaml	2026-02-24 12:54:37.681613905 +0000
@@ -848,19 +848,17 @@
           reason: Reconciled
           status: "True"
           type: Ready
-        - message: 'Missing role references: [ClusterRole/t-caas-security-auditor Role/default/t-caas-namespace-viewer Role/shared-services/t-caas-namespace-viewer Role/tenant-alpha-cicd/t-caas-namespace-viewer Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-alpha/t-caas-namespace-viewer Role/tenant-beta/t-caas-namespace-viewer]'
+        - message: 'Missing role references: [Role/default/t-caas-namespace-viewer Role/shared-services/t-caas-namespace-viewer Role/tenant-alpha-cicd/t-caas-namespace-viewer Role/tenant-alpha-staging/t-caas-namespace-viewer Role/tenant-alpha/t-caas-namespace-viewer]'
           observedGeneration: 1
           reason: RoleRefNotFound
           status: "False"
           type: RoleRefsValid
       missingRoleRefs:
-        - ClusterRole/t-caas-security-auditor
         - Role/default/t-caas-namespace-viewer
         - Role/shared-services/t-caas-namespace-viewer
         - Role/tenant-alpha-cicd/t-caas-namespace-viewer
         - Role/tenant-alpha-staging/t-caas-namespace-viewer
         - Role/tenant-alpha/t-caas-namespace-viewer
-        - Role/tenant-beta/t-caas-namespace-viewer
   - apiVersion: authorization.t-caas.telekom.com/v1alpha1
     kind: BindDefinition
     metadata:

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

docs/proposals/restricted-crds-with-rbac-policy.md

…ypes, ToC - Fix printcolumn JSONPath .spec.policyRef.name → .spec.rbacPolicyRef.name - Remove duplicate +kubebuilder:subresource:status marker on RestrictedBindDefinition - Add RestrictedBindDefinitionStatus and RestrictedRoleDefinitionStatus Go types - Rewrite ToC to match actual document headings (11 of 14 links were broken) - Unify forbiddenNamespaces YAML shape to flat []string (was inconsistent) - Add note clarifying late examples show expanded API surface beyond skeletal Go types

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

REUSE.toml

docs/proposals/restricted-crds-with-rbac-policy.md

Copilot AI review requested due to automatic review settings February 8, 2026 01:14

github-actions bot added documentation Improvements or additions to documentation size/XL labels Feb 8, 2026

Copilot started reviewing on behalf of MaxRink February 8, 2026 01:15 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

Copilot AI review requested due to automatic review settings February 8, 2026 01:23

Copilot started reviewing on behalf of MaxRink February 8, 2026 01:25 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

MaxRink requested a review from Copilot February 8, 2026 09:53

Copilot started reviewing on behalf of MaxRink February 8, 2026 09:54 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

REUSE.toml Show resolved Hide resolved

MaxRink requested a review from Copilot February 8, 2026 10:32

Copilot started reviewing on behalf of MaxRink February 8, 2026 10:32 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

MaxRink requested a review from Copilot February 8, 2026 10:51

Copilot started reviewing on behalf of MaxRink February 8, 2026 10:52 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

MaxRink requested a review from Copilot February 8, 2026 11:18

Copilot started reviewing on behalf of MaxRink February 8, 2026 11:18 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

MaxRink requested a review from Copilot February 8, 2026 11:27

Copilot started reviewing on behalf of MaxRink February 8, 2026 11:28 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

MaxRink requested a review from Copilot February 8, 2026 12:18

Copilot started reviewing on behalf of MaxRink February 8, 2026 12:19 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

MaxRink requested a review from Copilot February 8, 2026 14:35

Copilot started reviewing on behalf of MaxRink February 8, 2026 14:35 View session

Copilot AI reviewed Feb 8, 2026

View reviewed changes

Copilot AI reviewed Feb 24, 2026

View reviewed changes

github-actions bot added webhook tests labels Feb 24, 2026

Copilot AI review requested due to automatic review settings February 27, 2026 23:48

MaxRink force-pushed the proposal/restricted-crds-rbac-policy branch from 4b5b0a5 to b75a32d Compare February 27, 2026 23:48

Copilot started reviewing on behalf of MaxRink February 27, 2026 23:48 View session

Copilot AI reviewed Feb 27, 2026

View reviewed changes

Copilot AI review requested due to automatic review settings March 9, 2026 15:48

MaxRink force-pushed the proposal/restricted-crds-rbac-policy branch from b16bb5b to 313a760 Compare March 9, 2026 15:48

Copilot started reviewing on behalf of MaxRink March 9, 2026 15:49 View session

Copilot AI reviewed Mar 9, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

MaxRink force-pushed the proposal/restricted-crds-rbac-policy branch from 313a760 to bc403f7 Compare March 9, 2026 17:28

MaxRink requested a review from Copilot March 10, 2026 15:02

Copilot started reviewing on behalf of MaxRink March 10, 2026 15:02 View session

Copilot AI reviewed Mar 10, 2026

View reviewed changes

docs/proposals/restricted-crds-with-rbac-policy.md Outdated Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

MaxRink requested a review from Copilot March 10, 2026 15:34

Copilot started reviewing on behalf of MaxRink March 10, 2026 15:34 View session

MaxRink added 4 commits March 10, 2026 20:12

proposal: Restricted CRDs with RBACPolicy for Multi-Tenant RBAC

4450049

docs: address all Copilot review findings in restricted CRDs proposal

84c267d

docs: address persona review findings in restricted CRDs proposal

5c9d8f6

MaxRink force-pushed the proposal/restricted-crds-rbac-policy branch from 08d3dde to 5c9d8f6 Compare March 10, 2026 19:12

Copilot AI reviewed Mar 10, 2026

View reviewed changes

MaxRink requested a review from Copilot March 10, 2026 21:45

Copilot started reviewing on behalf of MaxRink March 10, 2026 21:45 View session

Copilot AI reviewed Mar 10, 2026

View reviewed changes

REUSE.toml Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

docs/proposals/restricted-crds-with-rbac-policy.md Show resolved Hide resolved

MaxRink mentioned this pull request Mar 11, 2026

feat: implement Restricted CRDs with RBACPolicy for multi-tenant RBAC governance #224

Open

30 tasks

MaxRink merged commit 6bd0fff into main Mar 16, 2026
42 checks passed

Conversation

MaxRink commented Feb 8, 2026

Summary

Key Features

New CRDs

Security Model

Design Principles

Use Cases

Implementation Options

Files

Discussion Points

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!