Feature request: Configure cluster roles for promoted service accounts #1842
Description
Describe the feature
The ability to configure the cluster roles for promoted service accounts.
Currently, when a service account is promoted it gets the following cluster roles attached to it in the Tenant.status.owners[x].clusterRoles field:
capsule-namespace-provisioner(doesn't actually do anything since the namespace has already been created)capsule-namespace-deleter
These then get attached to the promoted service accounts as role bindings in each tenant namespace. However, since the admin cluster role is missing, a service account can create a namespace but can't interact with objects within that namespace after creation. This defeats the purpose when trying to e.g. bootstrap a tenancy with Flux or Argo CD.
What would the new user story look like?
As a platform administrator, I want to be able to configure the cluster roles that my Tenant's promoted service accounts get attached to for each of tenant namespaces.
How would the new interaction with Capsule look like? E.g.
Ideally, this should be configurable in the Tenant spec. I'm ambivalent to the exact design/implementation, but perhaps something like Tenant.spec.promotedClusterRoles?
Alternatively, replacing the capsule-namespace-provisioner rolebinding by default with an admin role binding would also be a good start.
Feel free to add a diagram if that helps explain things.
Expected behavior
Promoted service accounts get appropriate cluster roles in tenant namespace by default (e.g. admin) OR these role bindings are configurable in the Tenant spec.