SREP-4471 Remove Write permissions in LPSRE RBAC

[feichashao]

What type of PR is this?

cleanup

What this PR does / why we need it?

For security and compliance reasons, we want to limit the permissions SRE have. Currently, SRE can perform many write actions (create/patch/delete) on many openshift platform namespaces.

This PR reduces most write permissions for the LPSRE RBAC.

If SRE need write operations to solve issues, they can use ocm backplane elevate, which requires a justification and go through the normal elevation process.

The PR keeps some write permissions which are not actually changing the cluster resources.

The create pods/portforward is kept for monitoring, which is needed by ocm backplane console.
The create podsecuritypolicyreviews , podsecuritypolicyselfsubjectreviews, podsecuritypolicysubjectreviews and tokenreviews are kept as they are actually read-only operations which is for checking auth related stuff.

Which Jira/Github issue(s) this PR fixes?

https://redhat.atlassian.net/browse/SREP-4471

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster

• Included documentation changes with PR

• If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

  matchExpressions:
  - key: api.openshift.com/fedramp
    operator: NotIn
    values: ["true"]

Summary by CodeRabbit

• Chores
  • Reduced administrative permissions across multiple cluster roles by removing destructive and write actions (deletes, creates, patches) for jobs, builds, pods, PVCs, operators, backups, and scaling controls.
  • Converted many mutating permissions to read-only (get/list/watch) for monitoring, config, Tekton, and project/namespace resources.
  • Preserved essential observation and eviction/portforward capabilities to maintain troubleshooting access.

[coderabbitai]

Walkthrough

Multiple ClusterRole RBAC manifests across the backplane were tightened: numerous create/patch/update/delete verbs were removed for jobs, pods, builds, PVCs, scaling/patching of controllers, operator/OLM resources, Velero, and Tekton, leaving predominantly read-only (get/list/watch) access where applicable.

Changes

Cohort / File(s)	Summary
Main Backplane LPSRE Admin Role deploy/backplane/lpsre/10-lpsre-admins-project.ClusterRole.yml	Removed many mutating and destructive RBAC rules (job/build deletion, pod deletion, Logging CRs, Velero backup operations, PVC resize/delete/patch, controller scaling/patching, replicasets deletion, machine/upgrade/OLM operations).
Generated ACM Policy deploy/acm-policies/50-GENERATED-backplane-lpsre.Policy.yaml	Mirrors removals from the main backplane ClusterRole: deleted matching RBAC rule entries from the generated ConfigurationPolicy template.
ACS LPSRE Admin Role deploy/backplane/lpsre/acs/02-acs-lpsre-admins-project.ClusterRole.yaml	Removed pod delete, apps statefulsets/deployments patch (restart), and deployments/scale patch permissions.
RHMI LPSRE Roles deploy/backplane/lpsre/rhmi/01-rhmi-lpsre-admins-cluster-aggregate.ClusterRole.yaml, deploy/backplane/lpsre/rhmi/01-rhmi-lpsre-admins-project.ClusterRole.yaml	Narrowed verbs: dropped create/patch/update on clusterresourcequotas and various resources; removed deletes for jobs/builds/pods; limited Tekton from wildcard access to get/list/watch.
RHOAM LPSRE Roles deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-cluster-aggregate.ClusterRole.yaml, deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-project.ClusterRole.yaml	Converted many mutating verbs to read-only: removed create/patch/update on projects/namespaces/groups and removed deletes/patches for jobs, builds, pods, configmaps, PVCs, installplans, Tekton, scaling/patching of apps and routes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR exclusively modifies Kubernetes RBAC configuration YAML files with no Go test files or Ginkgo tests present.
Test Structure And Quality	✅ Passed	This pull request contains exclusively YAML configuration file changes to Kubernetes ClusterRole RBAC manifests and does not include any Ginkgo test code or test file modifications.
Microshift Test Compatibility	✅ Passed	This PR modifies only RBAC policy YAML files in deploy/ directory with no new Ginkgo e2e test code added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR contains only YAML configuration files for RBAC policies and Kubernetes ClusterRole definitions with no test files.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only RBAC ClusterRole permission rules, not deployment manifests, operators, or controllers. No topology-aware scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check does not apply to this PR, which modifies only Kubernetes RBAC and ConfigurationPolicy YAML files with no Go source code changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check for IPv6 and Disconnected Network Test Compatibility applies specifically to Ginkgo e2e tests. This PR contains only modifications to Kubernetes RBAC policy YAML manifest files in the deploy/ directory and introduces zero Ginkgo e2e tests.
Title check	✅ Passed	The title directly and accurately describes the main objective of the pull request: removing write permissions from LPSRE RBAC configurations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-project.ClusterRole.yaml (1)

82-91: Tekton access correctly reduced to read-only; minor trailing whitespace.

The change to get, list, watch is correct and consistent with the RHMI project ClusterRole.

Line 91 appears to have trailing whitespace or an empty line with spaces. Consider removing it for cleaner formatting.

🧹 Remove trailing whitespace

   - get
   - list
   - watch
-  

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-project.ClusterRole.yaml`
around lines 82 - 91, There is trailing whitespace / an extra blank line after
the Tekton permission block in the ClusterRole (the block with apiGroups:
tekton.dev, resources: '*', verbs: get/list/watch); remove the trailing spaces
or empty line following that block so the YAML ends cleanly and passes
formatting checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-project.ClusterRole.yaml`:
- Around line 82-91: There is trailing whitespace / an extra blank line after
the Tekton permission block in the ClusterRole (the block with apiGroups:
tekton.dev, resources: '*', verbs: get/list/watch); remove the trailing spaces
or empty line following that block so the YAML ends cleanly and passes
formatting checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 83066336-8e9b-4bac-8bef-1bf97c0b7d27

📥 Commits

Reviewing files that changed from the base of the PR and between e2cf895 and 517f396.

📒 Files selected for processing (10)

• deploy/acm-policies/50-GENERATED-backplane-lpsre.Policy.yaml
• deploy/backplane/lpsre/10-lpsre-admins-project.ClusterRole.yml
• deploy/backplane/lpsre/acs/02-acs-lpsre-admins-project.ClusterRole.yaml
• deploy/backplane/lpsre/rhmi/01-rhmi-lpsre-admins-cluster-aggregate.ClusterRole.yaml
• deploy/backplane/lpsre/rhmi/01-rhmi-lpsre-admins-project.ClusterRole.yaml
• deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-cluster-aggregate.ClusterRole.yaml
• deploy/backplane/lpsre/rhoam/01-rhoam-lpsre-admins-project.ClusterRole.yaml
• hack/00-osd-managed-cluster-config-integration.yaml.tmpl
• hack/00-osd-managed-cluster-config-production.yaml.tmpl
• hack/00-osd-managed-cluster-config-stage.yaml.tmpl

💤 Files with no reviewable changes (3)

• deploy/backplane/lpsre/acs/02-acs-lpsre-admins-project.ClusterRole.yaml
• deploy/backplane/lpsre/10-lpsre-admins-project.ClusterRole.yml
• deploy/acm-policies/50-GENERATED-backplane-lpsre.Policy.yaml

[openshift-ci]

@feichashao: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[feichashao]

/hold

Communicating with LPSRE regarding the change.

[xiaoyu74]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao, xiaoyu74

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [xiaoyu74]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Nanyte25]

@feichashao Aligned with the direction of this PR overall, but flagging one carve-out request from the RHOAM side:We need to retain the ability to manually patch RHOAM Install-plans without elevation. All RHOAM upgrades are service-affecting, and manual Install-plan approval is the single most common upgrade-time intervention we perform. Blast radius is bounded — patch on an IP only lets us flip spec.approved=true on a plan OLM has already generated, we can't synthesize new state with it. Requiring backplane elevate per-approval during an active upgrade window is a real MTTR cost in exactly the moments we're already time-pressured.

Proposing we keep this rule:

# LP SRE can interact with installplans
- apiGroups:
  - "operators.coreos.com"
  resources:
  - installplans
  verbs:
  - "patch"

I would ask the same for the equivalent block in rhmi/01-rhmi-lpsre-admins-project.ClusterRole.yaml for consistency.