From 66f1ce842adbfb6d452a32ce91f67f4aa336cff5 Mon Sep 17 00:00:00 2001
From: Adam Scerra <ascerra@redhat.com>
Date: Wed, 13 Nov 2024 16:20:03 -0500
Subject: [PATCH] patch to staging cluster-provisioner pod read

Signed-off-by: Adam Scerra <ascerra@redhat.com>
---
 .../cluster-as-a-service/staging/kustomization.yaml |  2 ++
 .../namespace-manager-pod-reader-binding.yaml       | 13 +++++++++++++
 .../staging/namespace-manager-pod-reader-role.yaml  |  9 +++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml
 create mode 100644 components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml

diff --git a/components/cluster-as-a-service/staging/kustomization.yaml b/components/cluster-as-a-service/staging/kustomization.yaml
index c82b467d4f1..a760541ff00 100644
--- a/components/cluster-as-a-service/staging/kustomization.yaml
+++ b/components/cluster-as-a-service/staging/kustomization.yaml
@@ -5,6 +5,8 @@ resources:
   - ../base
   - ../../openshift-gitops
   - external-secrets.yaml
+  - namespace-manager-pod-reader-role.yaml
+  - namespace-manager-pod-reader-binding.yaml
 patches:
   - path: add-hypershift-params.yaml
     target:
diff --git a/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml
new file mode 100644
index 00000000000..383c3b405f7
--- /dev/null
+++ b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: namespace-manager-pod-reader-binding
+  namespace: clusters # Binding is scoped to the 'clusters' namespace
+subjects:
+  - kind: ServiceAccount
+    name: namespace-manager
+    namespace: ${SPACE_NAME}-eaas # TODO: need to find a non var solution here
+roleRef:
+  kind: Role
+  name: namespace-manager-pod-reader # Refers to the Role in the 'clusters' namespace
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml
new file mode 100644
index 00000000000..35d75f44680
--- /dev/null
+++ b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: namespace-manager-pod-reader
+  namespace: clusters # Restricts the permissions to the 'clusters' namespace
+rules:
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
\ No newline at end of file