Add backplane RBAC for RHOBS team access to regional clusters

[moadz]

What type of PR is this?

(bug/feature/cleanup/documentation)
Adding new backplane role.

What this PR does / why we need it?

Introduces a new backplane role for the RHOBS team to get read-only
access to RHOBS regional clusters. This includes a ClusterRole scoped
to Thanos, Loki, monitoring, and core Kubernetes resources, a
SubjectPermission binding it to rhobs-prefixed namespaces, and a
SelectorSyncSet config targeting clusters labeled as RHOBS regional.

Summary by CodeRabbit

• New Features

  • RHOBS regional cluster support added to the backplane, enabling RHOBS-specific cluster onboarding and scoped access.

• Documentation

  • Backplane README updated with revised table layout and RHOBS entry describing access scope.

• Chores

  • Added deployment manifests and RBAC/permission configurations to enable and restrict RHOBS regional-cluster access.

[coderabbitai]

Walkthrough

Adds RBAC and deployment configuration for RHOBS regional clusters: a new namespace, selector-based deployment config, a ClusterRole granting read/list/watch permissions on monitoring and infra resources, a SubjectPermission binding that ClusterRole to RHOBS serviceaccounts, and README updates listing the rhobs directory.

Changes

Cohort / File(s)	Summary
Documentation deploy/backplane/README.md	Updated table formatting and added a new rhobs directory entry describing RBAC access for the RHOBS team.
Namespace & Deployment Selector deploy/backplane/rhobs/00-rhobs.namespace.yml, deploy/backplane/rhobs/config.yaml	Added openshift-backplane-rhobs Namespace and a SelectorSyncSet config that targets clusters labeled ext-managed.openshift.io/rhobs-regional-cluster=true and excludes api.openshift.com/fedramp=true.
RBAC: ClusterRole deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml	New ClusterRole backplane-rhobs-regional-cluster-project granting get,list,watch on monitoring (Thanos/Prometheus/Alertmanager), RHOBS, Loki, OpenShift routes/templates, RBAC, CRDs, core resources, and common workload controllers.
RBAC: Binding (SubjectPermission) deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml	Added SubjectPermission binding backplane-rhobs-regional-cluster-project to Group system:serviceaccounts:openshift-backplane-rhobs, allowing namespaces matching (^rhobs.*) and denying openshift-backplane-cluster-admin.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main objective of the changeset—adding RBAC configurations for RHOBS team access to regional clusters across the newly added backplane directory structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo test files, only Kubernetes manifests and markdown documentation updates.
Test Structure And Quality	✅ Passed	This PR contains only Kubernetes manifests and configuration files. No Ginkgo test files are present, making the custom test quality check non-applicable.
Microshift Test Compatibility	✅ Passed	This PR contains only Kubernetes manifests and documentation; no Ginkgo e2e tests are present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not introduce any Ginkgo e2e tests. All modified files are Kubernetes manifests and configuration files related to RBAC setup.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only RBAC resources and cluster selection configuration with no deployment manifests, operator code, or topology-dependent scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	This PR adds only Kubernetes YAML manifests and documentation with no executable source code, making the OTE Binary Stdout Contract check inapplicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check is not applicable to this PR as it contains only Kubernetes manifest files, not Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: moadz
Once this PR has been reviewed and has the lgtm label, please assign cblecker for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deploy/backplane/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@deploy/backplane/rhobs/rhobs-cluster/10-srep-rhobs-cluster-project.ClusterRole.yml`:
- Around line 18-26: Update the RBAC rule block for monitoring resources: change
the apiGroups entry from "monitoring.rhobs.io" to "monitoring.rhobs" and
normalize indentation to 2 spaces for the apiGroups/resources/verbs block so it
matches other rule blocks; target the rule that lists resources
"monitoringstacks" and "thanosqueriers" and ensure the apiGroups, resources, and
verbs keys are aligned with the 2-space style used elsewhere.

In `@deploy/backplane/rhobs/rhobs-cluster/20-srep.SubjectPermission.yml`:
- Line 4: The resource metadata.name is stale: change the SubjectPermission
resource name from "backplane-srep-rhobs-regional-cluster" to
"backplane-rhobs-regional-cluster" to match the bound service-account group
"openshift-backplane-rhobs" and ClusterRole
"backplane-rhobs-regional-cluster-project"; update any internal references if
present and also consider renaming the file from "20-srep.SubjectPermission.yml"
to "20-rhobs.SubjectPermission.yml" so filename and resource name are
consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2de97ae8-a176-4281-8d74-c92196a84179

📥 Commits

Reviewing files that changed from the base of the PR and between e2cf895 and d9c9b06.

📒 Files selected for processing (4)

• deploy/backplane/README.md
• deploy/backplane/rhobs/rhobs-cluster/10-srep-rhobs-cluster-project.ClusterRole.yml
• deploy/backplane/rhobs/rhobs-cluster/20-srep.SubjectPermission.yml
• deploy/backplane/rhobs/rhobs-cluster/config.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale srep in resource name; rename for consistency with the new RHOBS subject.

metadata.name is backplane-srep-rhobs-regional-cluster, but this SubjectPermission binds the openshift-backplane-rhobs service-account group (not srep) to the backplane-rhobs-regional-cluster-project ClusterRole. Keeping srep in the name looks like a copy-paste leftover from deploy/backplane/srep/hypershift/rhobs-cluster/20-srep.SubjectPermission.yml and will likely collide conceptually with that existing resource. Consider renaming to match.

🧹 Proposed fix

 metadata:
-  name: backplane-srep-rhobs-regional-cluster
+  name: backplane-rhobs-regional-cluster
   namespace: openshift-rbac-permissions

Consider also renaming the file from 20-srep.SubjectPermission.yml to 20-rhobs.SubjectPermission.yml for the same reason.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: backplane-srep-rhobs-regional-cluster
	metadata:
	name: backplane-rhobs-regional-cluster
	namespace: openshift-rbac-permissions

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/rhobs/rhobs-cluster/20-srep.SubjectPermission.yml` at line
4, The resource metadata.name is stale: change the SubjectPermission resource
name from "backplane-srep-rhobs-regional-cluster" to
"backplane-rhobs-regional-cluster" to match the bound service-account group
"openshift-backplane-rhobs" and ClusterRole
"backplane-rhobs-regional-cluster-project"; update any internal references if
present and also consider renaming the file from "20-srep.SubjectPermission.yml"
to "20-rhobs.SubjectPermission.yml" so filename and resource name are
consistent.

[typeid]

Let's fix the file and namespace names as commented, then this looks good to me.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml`:
- Around line 75-88: The ClusterRole in this file mixes cluster-scoped rules
(resources: clusterroles, clusterrolebindings, customresourcedefinitions) with a
namespaced SubjectPermission that uses namespacesAllowedRegex, which is invalid;
split out a new ClusterRole containing only the cluster-scoped resources
(clusterroles, clusterrolebindings, customresourcedefinitions) and remove those
resources from the existing ClusterRole, then bind the new ClusterRole via an
explicit clusterPermissions entry on the SubjectPermission (follow the binding
pattern used in 50-dedicated-admins.SubjectPermission.yaml) so namespace
restrictions remain on the remaining namespaced rules and cluster-scoped rules
are granted at cluster scope.
- Around line 18-49: The RBAC rules currently mix Prometheus Operator resources
into the monitoring.rhobs apiGroup; update the ClusterRole so Prometheus
Operator-owned resources (alertmanagers, podmonitors, prometheuses,
prometheusrules, servicemonitors) are listed under apiGroups:
["monitoring.coreos.com"] and RHOBS-specific resources (monitoringstacks,
uiplugins and any RHOBS-owned variants) remain under apiGroups:
["monitoring.rhobs"]; remove resources that are not actually deployed here
(alertmanagerconfigs, probes, prometheusagents, scrapeconfigs, thanosrulers) and
verify which apiGroup owns thanosqueriers in your environment before assigning
it (leave it in monitoring.rhobs only if RHOBS owns it).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 967858b9-6fe6-4d5c-9a90-a62b202a06a8

📥 Commits

Reviewing files that changed from the base of the PR and between 0a598dc and 1512070.

📒 Files selected for processing (5)

• deploy/backplane/README.md
• deploy/backplane/rhobs/00-rhobs.namespace.yml
• deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml
• deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml
• deploy/backplane/rhobs/config.yaml

✅ Files skipped from review due to trivial changes (4)

• deploy/backplane/README.md
• deploy/backplane/rhobs/00-rhobs.namespace.yml
• deploy/backplane/rhobs/config.yaml
• deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect CRD/API-version evidence for the resources in the monitoring RBAC rules.
# Expectation: Prometheus Operator resources resolve to monitoring.coreos.com; RHOBS resources resolve to monitoring.rhobs.

rg -nP --type=yaml -C3 \
  'apiVersion:\s*(monitoring\.coreos\.com|monitoring\.rhobs|observability\.openshift\.io|console\.openshift\.io)/|name:\s*(alertmanagerconfigs|alertmanagers|podmonitors|probes|prometheusagents|prometheuses|prometheusrules|scrapeconfigs|servicemonitors|thanosrulers|thanosqueriers|monitoringstacks|uiplugins)\.'

Repository: openshift/managed-cluster-config

Length of output: 37244

---

Correct API group ownership for Prometheus Operator and RHOBS resources.

Resources are currently misplaced across API groups. Verification confirms that prometheusrules, podmonitors, and servicemonitors actually exist in both monitoring.coreos.com and monitoring.rhobs, but the current RBAC rule incorrectly bundles Prometheus Operator resources under monitoring.rhobs. This breaks RBAC enforcement for read-only access to resources that belong under their correct API groups.

Recommended fix:

• Move Prometheus Operator resources (alertmanagers, podmonitors, prometheuses, prometheusrules, servicemonitors) to monitoring.coreos.com.
• Keep RHOBS-specific resources (monitoringstacks, uiplugins) and any RHOBS-owned variants of shared resources under monitoring.rhobs.
• Note: thanosqueriers requires clarification—verify which API group actually owns this resource in your environment; evidence suggests it may only exist in monitoring.rhobs.
• Remove resources not actually deployed in this repository (e.g., alertmanagerconfigs, probes, prometheusagents, scrapeconfigs, thanosrulers if they are not in use).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml` around lines
18 - 49, The RBAC rules currently mix Prometheus Operator resources into the
monitoring.rhobs apiGroup; update the ClusterRole so Prometheus Operator-owned
resources (alertmanagers, podmonitors, prometheuses, prometheusrules,
servicemonitors) are listed under apiGroups: ["monitoring.coreos.com"] and
RHOBS-specific resources (monitoringstacks, uiplugins and any RHOBS-owned
variants) remain under apiGroups: ["monitoring.rhobs"]; remove resources that
are not actually deployed here (alertmanagerconfigs, probes, prometheusagents,
scrapeconfigs, thanosrulers) and verify which apiGroup owns thanosqueriers in
your environment before assigning it (leave it in monitoring.rhobs only if RHOBS
owns it).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find how SubjectPermission models cluster-scoped access elsewhere.
# Expectation: Cluster-scoped resources should use a distinct cluster-wide permission mechanism, not only namespace regex bindings.

rg -nP --type=yaml -C6 \
  'kind:\s*SubjectPermission|clusterPermissions|namespacesAllowedRegex|clusterroles|clusterrolebindings|customresourcedefinitions'

Repository: openshift/managed-cluster-config

Length of output: 50389

---

🏁 Script executed:

# Find the RHOBS ClusterRole file
fd -t f "rhobs" | head -20

Repository: openshift/managed-cluster-config

Length of output: 394

---

🏁 Script executed:

# Look for the actual file and RHOBS SubjectPermission
rg -l "rhobs" --type=yaml | grep -i subject

Repository: openshift/managed-cluster-config

Length of output: 206

---

🏁 Script executed:

# Search for references to "rhobs-cluster-project" ClusterRole
rg "rhobs-cluster-project" --type=yaml -A5 -B5

Repository: openshift/managed-cluster-config

Length of output: 58

---

🏁 Script executed:

# View the RHOBS SubjectPermission to see how rhobs ClusterRole is used
cat deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml

Repository: openshift/managed-cluster-config

Length of output: 502

---

🏁 Script executed:

# View the complete RHOBS ClusterRole to see all rules
cat deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml

Repository: openshift/managed-cluster-config

Length of output: 1750

---

Cluster-scoped resources must not be mixed with namespace-scoped access rules in this ClusterRole.

The ClusterRole includes clusterroles, clusterrolebindings, and customresourcedefinitions—all cluster-scoped resources—yet the SubjectPermission binding restricts access using namespacesAllowedRegex: "(^rhobs.*)". This creates an unresolvable RBAC conflict: either the binding becomes a RoleBinding (rendering cluster-scoped rules inaccessible) or a ClusterRoleBinding (making the namespace restriction meaningless).

Separate these cluster-scoped resources into a distinct ClusterRole bound through an explicit clusterPermissions field, following the pattern used elsewhere in the codebase (e.g., 50-dedicated-admins.SubjectPermission.yaml).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml` around lines
75 - 88, The ClusterRole in this file mixes cluster-scoped rules (resources:
clusterroles, clusterrolebindings, customresourcedefinitions) with a namespaced
SubjectPermission that uses namespacesAllowedRegex, which is invalid; split out
a new ClusterRole containing only the cluster-scoped resources (clusterroles,
clusterrolebindings, customresourcedefinitions) and remove those resources from
the existing ClusterRole, then bind the new ClusterRole via an explicit
clusterPermissions entry on the SubjectPermission (follow the binding pattern
used in 50-dedicated-admins.SubjectPermission.yaml) so namespace restrictions
remain on the remaining namespaced rules and cluster-scoped rules are granted at
cluster scope.

[bmeng]

@moadz can you help check the pre-sumbit job failure?
You can run the make locally to see if it is working for you

[coderabbitai]

♻️ Duplicate comments (2)

deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml (2)

18-49: ⚠️ Potential issue | 🟠 Major

Finish separating Prometheus Operator resources from RHOBS resources.

This still mixes likely monitoring.coreos.com resources into the monitoring.rhobs rule, while the monitoring.coreos.com rule omits common Prometheus Operator resources such as podmonitors, alertmanagerconfigs, probes, prometheusagents, scrapeconfigs, and thanosrulers. RBAC requires the exact API group/resource pair, so these entries can silently fail to grant the intended read access.

Keep RHOBS-owned resources under monitoring.rhobs, and put Prometheus Operator resources under monitoring.coreos.com; verify thanosqueriers before leaving it in either group.

#!/bin/bash
# Description: Verify API group ownership for the monitoring resources referenced by this ClusterRole.
# Expectation: Resources served by monitoring.coreos.com should be granted under monitoring.coreos.com;
# RHOBS-specific resources should remain under monitoring.rhobs.

rg -nP --type=yaml -C3 \
  'apiVersion:\s*(monitoring\.coreos\.com|monitoring\.rhobs|monitoring\.thanos\.io)/|kind:\s*(AlertmanagerConfig|Alertmanager|MonitoringStack|PodMonitor|Probe|PrometheusAgent|Prometheus|PrometheusRule|ScrapeConfig|ServiceMonitor|ThanosQuerier|ThanosRuler|UIPlugin)\b'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml` around lines
18 - 49, The ClusterRole currently mixes apiGroups; split the resource lists so
that resources owned by RHOBS remain under apiGroup "monitoring.rhobs" and
Prometheus Operator resources are under "monitoring.coreos.com": in the
ClusterRole resource block, ensure "monitoring.rhobs" contains RHOBS-specific
entries (e.g., alertmanagerconfigs, monitoringstacks, prometheusagents,
uiplugins and any RHOBS-only scrapeconfigs/probes if applicable) and that
"monitoring.coreos.com" contains Prometheus Operator entries (e.g.,
alertmanagers, prometheuses, prometheusrules, servicemonitors, podmonitors,
probes, scrapeconfigs, thanosrulers as appropriate); verify ownership of
thanosqueriers and place it under the correct apiGroup, then keep verbs
(get/list/watch) the same for each apiGroup block.

---

75-88: ⚠️ Potential issue | 🟠 Major

Split cluster-scoped resources out of the namespace-scoped role.

clusterroles, clusterrolebindings, and customresourcedefinitions are cluster-scoped, but deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml binds this role through namespace-scoped permissions with namespacesAllowedRegex. Those cluster-scoped rules will not be granted by namespace RoleBindings.

Move these resources to a separate ClusterRole bound via a cluster-scoped SubjectPermission mechanism, or remove them if RHOBS only needs namespace-scoped access.

#!/bin/bash
# Description: Confirm this ClusterRole is only referenced by namespace-scoped SubjectPermission permissions,
# and inspect existing cluster-scoped SubjectPermission patterns in the repo.

cat deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml

rg -nP --type=yaml -C8 \
  'clusterPermissions:|namespacesAllowedRegex:|clusterRoleName:\s*backplane-rhobs-regional-cluster-project|kind:\s*SubjectPermission'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml` around lines
75 - 88, The ClusterRole currently lists cluster-scoped rules (resources:
clusterroles, clusterrolebindings, customresourcedefinitions) which cannot be
granted via namespace RoleBindings; extract those rules into a separate
ClusterRole (e.g., create a new ClusterRole containing only resources:
clusterroles, clusterrolebindings, customresourcedefinitions) and remove them
from the namespace-scoped role (the existing role name referenced as
backplane-rhobs-regional-cluster-project), then bind that new ClusterRole with a
cluster-scoped SubjectPermission (or remove the cluster-scoped rules if RHOBS
only needs namespace access); also update or verify the SubjectPermission that
currently references the namespace-scoped binding (the file that defines the
permissions bound via namespacesAllowedRegex) to point to the new ClusterRole or
to no longer reference cluster-scoped rules.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml`:
- Around line 18-49: The ClusterRole currently mixes apiGroups; split the
resource lists so that resources owned by RHOBS remain under apiGroup
"monitoring.rhobs" and Prometheus Operator resources are under
"monitoring.coreos.com": in the ClusterRole resource block, ensure
"monitoring.rhobs" contains RHOBS-specific entries (e.g., alertmanagerconfigs,
monitoringstacks, prometheusagents, uiplugins and any RHOBS-only
scrapeconfigs/probes if applicable) and that "monitoring.coreos.com" contains
Prometheus Operator entries (e.g., alertmanagers, prometheuses, prometheusrules,
servicemonitors, podmonitors, probes, scrapeconfigs, thanosrulers as
appropriate); verify ownership of thanosqueriers and place it under the correct
apiGroup, then keep verbs (get/list/watch) the same for each apiGroup block.
- Around line 75-88: The ClusterRole currently lists cluster-scoped rules
(resources: clusterroles, clusterrolebindings, customresourcedefinitions) which
cannot be granted via namespace RoleBindings; extract those rules into a
separate ClusterRole (e.g., create a new ClusterRole containing only resources:
clusterroles, clusterrolebindings, customresourcedefinitions) and remove them
from the namespace-scoped role (the existing role name referenced as
backplane-rhobs-regional-cluster-project), then bind that new ClusterRole with a
cluster-scoped SubjectPermission (or remove the cluster-scoped rules if RHOBS
only needs namespace access); also update or verify the SubjectPermission that
currently references the namespace-scoped binding (the file that defines the
permissions bound via namespacesAllowedRegex) to point to the new ClusterRole or
to no longer reference cluster-scoped rules.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 05e38e1a-a2b5-440f-9335-cc4d96750def

📥 Commits

Reviewing files that changed from the base of the PR and between 1512070 and 25c30a0.

📒 Files selected for processing (5)

• deploy/backplane/README.md
• deploy/backplane/rhobs/00-rhobs.namespace.yml
• deploy/backplane/rhobs/10-rhobs-cluster-project.ClusterRole.yml
• deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml
• deploy/backplane/rhobs/config.yaml

✅ Files skipped from review due to trivial changes (2)

• deploy/backplane/rhobs/config.yaml
• deploy/backplane/rhobs/20-rhobs.SubjectPermission.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• deploy/backplane/README.md
• deploy/backplane/rhobs/00-rhobs.namespace.yml

[moadz]

@bmeng

Successfully installed oyaml-1.0 pyyaml-6.0.3
+ scripts/enforce-backplane-rules.py
Backplane Rules: PASSED

Succeeds locally - i've rebased to try rerunning it.

[openshift-ci]

@moadz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/pr-check	25c30a0	link	true	/test pr-check

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.