OPRUN-4591: Add RBAC for console lifecycle-server API access

[perdasilva]

Summary

• Adds a ClusterRole (system:openshift:console:lifecycle-reader) and ClusterRoleBinding that grant the console ServiceAccount GET access to lifecycle-server nonResourceURL paths (/api/*/lifecycles/*).
• The lifecycle-server uses TokenReview / SubjectAccessReview for authn/authz on nonResourceURLs, so the console pod SA needs explicit RBAC to call the API.
• Gated behind TechPreviewNoUpgrade feature set and scoped to the Console capability.

Details

The lifecycle-server exposes operator lifecycle data (e.g. update risks, recommended actions) via nonResourceURL endpoints. The console backend needs to query these endpoints to surface lifecycle information in the UI.

Since nonResourceURLs are not covered by standard namespace-scoped RBAC, a dedicated ClusterRole with nonResourceURLs rules is required. The ClusterRoleBinding binds this role to the console ServiceAccount in the openshift-console namespace.

Test plan

• Verify the ClusterRole and ClusterRoleBinding are created on a TechPreviewNoUpgrade cluster
• Confirm the console SA can GET /api/*/lifecycles/* endpoints on the lifecycle-server
• Confirm the resources are not created on a standard (non-TechPreview) cluster

🤖 Commit and PR descriptions generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added permissions for the OpenShift console to read lifecycle-related information from the platform API.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

A new Kubernetes RBAC manifest file is introduced that defines a ClusterRole granting read access to lifecycle-related API non-resource URLs and a ClusterRoleBinding that binds this role to the console ServiceAccount in the openshift-console namespace.

Changes

Cohort / File(s)	Summary
RBAC Manifest manifests/03-rbac-role-cluster-openshift-console-user-operator-lifecycle-reader.yaml	Adds ClusterRole system:openshift:console:lifecycle-reader with read access to /api/*/lifecycles/* endpoints and ClusterRoleBinding console-lifecycle-reader granting this role to the console ServiceAccount in openshift-console namespace with feature-set annotations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and addresses the solution and test plan. However, it omits or incompletely fills required template sections like 'Analysis / Root cause', 'Browser conformance', and 'Reviewers and assignees'.	Complete the PR description by filling in all required template sections: provide Analysis/Root cause, verify browser compatibility checkboxes, and assign appropriate reviewers (console engineer, docs/PX approvers if applicable).

✅ Passed checks (11 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR introduces only a Kubernetes RBAC manifest file with static YAML configuration; no Ginkgo test files or test code present, making this check inapplicable.
Test Structure And Quality	✅ Passed	PR only adds a Kubernetes RBAC manifest file and does not include any Go test code or Ginkgo test modifications.
Microshift Test Compatibility	✅ Passed	PR adds only RBAC manifest file with no Ginkgo e2e test additions, so custom check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds only a Kubernetes RBAC manifest file with no new Ginkgo e2e tests, so the test-specific check is not applicable and passes.
Topology-Aware Scheduling Compatibility	✅ Passed	The change adds only RBAC resources (ClusterRole and ClusterRoleBinding) that define API permissions with no scheduling constraints, pod affinity rules, replica counts, or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this pull request as it contains only Kubernetes YAML manifest files with no Go code or executable content.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request only introduces a Kubernetes RBAC manifest file containing ClusterRole and ClusterRoleBinding definitions for console lifecycle API access. No Ginkgo e2e tests have been added.
Title check	✅ Passed	The title directly and clearly describes the main change: adding RBAC rules for console lifecycle-server API access, which matches the PR objective of introducing a ClusterRole and ClusterRoleBinding for this purpose.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: perdasilva
Once this PR has been reviewed and has the lgtm label, please assign therealjon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[perdasilva]

/hold not ready

[perdasilva]

/retest

[openshift-ci-robot]

@perdasilva: This pull request references OPRUN-4591 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds a ClusterRole (system:openshift:console:lifecycle-reader) and ClusterRoleBinding that grant the console ServiceAccount GET access to lifecycle-server nonResourceURL paths (/api/*/lifecycles/*).
• The lifecycle-server uses TokenReview / SubjectAccessReview for authn/authz on nonResourceURLs, so the console pod SA needs explicit RBAC to call the API.
• Gated behind TechPreviewNoUpgrade feature set and scoped to the Console capability.

Details

The lifecycle-server exposes operator lifecycle data (e.g. update risks, recommended actions) via nonResourceURL endpoints. The console backend needs to query these endpoints to surface lifecycle information in the UI.

Since nonResourceURLs are not covered by standard namespace-scoped RBAC, a dedicated ClusterRole with nonResourceURLs rules is required. The ClusterRoleBinding binds this role to the console ServiceAccount in the openshift-console namespace.

Test plan

• Verify the ClusterRole and ClusterRoleBinding are created on a TechPreviewNoUpgrade cluster
• Confirm the console SA can GET /api/*/lifecycles/* endpoints on the lifecycle-server
• Confirm the resources are not created on a standard (non-TechPreview) cluster

🤖 Commit and PR descriptions generated with Claude Code

Summary by CodeRabbit

• Chores
• Added permissions for the OpenShift console to read lifecycle-related information from the platform API.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@perdasilva: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-upgrade	58da58f	link	true	/test e2e-azure-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.