fix(manifests): add roles permission to control-plane ClusterRole

[markturansky]

Summary

• Add roles to the control-plane ClusterRole alongside rolebindings in the rbac.authorization.k8s.io API group
• The CP's ensureControlPlaneRBAC (project_reconciler.go:194) creates a Role ambient-control-plane-project-manager in each project namespace, but the ClusterRole only granted access to rolebindings — causing forbidden: cannot get resource "roles" errors

Test plan

• Patched ClusterRole live on Stage — verified rule index 3 now includes ["roles", "rolebindings"]
• After merge + deploy, verify CP logs no longer show RBAC errors for project reconciliation

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Expanded control plane permissions to include management of both roles and role bindings, in addition to existing capabilities.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	6a270da
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ea9b694662cf0008147522

[coderabbitai]

📝 Walkthrough

Walkthrough

Extended the control-plane ClusterRole to include permissions for both roles and rolebindings resources under the rbac.authorization.k8s.io API group, maintaining all existing verbs (get, list, watch, create, update, patch, delete).

Changes

Cohort / File(s)	Summary
RBAC Configuration components/manifests/base/rbac/control-plane-clusterrole.yaml	Expanded RBAC rule to grant permissions on both roles and rolebindings resources (previously only rolebindings).

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Kubernetes Resource Safety	⚠️ Warning	Control-plane ClusterRole grants roles resource excessive verbs, violating least-privilege by permitting get, list, watch, create, update, patch, delete when only get, create, delete are required.	Split into two rules: roles with [get, create, delete] verbs and rolebindings with full verb set to enforce least-privilege access.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(manifests): ...) and accurately describes the main change: expanding ClusterRole permissions to include roles resource.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR modifies only a static Kubernetes RBAC manifest file with no runtime algorithms, loops, API calls, or dynamic logic. ClusterRole rule's resources field expanded to include roles alongside rolebindings.
Security And Secret Handling	✅ Passed	PR modifies only Kubernetes ClusterRole YAML with no hardcoded secrets, tokens, API keys, or sensitive data exposure. Adds roles resource authorization to fix forbidden errors.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/control-plane-clusterrole-roles-permission

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/control-plane-clusterrole-roles-permission

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/manifests/base/rbac/control-plane-clusterrole.yaml`:
- Around line 18-20: The current RBAC rule groups resources "roles" and
"rolebindings" under apiGroups: ["rbac.authorization.k8s.io"] and grants the
full verb set; split this into two rules: one rule for "roles" that only
includes the minimal verbs the reconciler requires (e.g., "get" and "create")
and a separate rule for "rolebindings" that retains the broader verbs
("list","watch","update","patch","delete" as needed). Update the resources/verbs
entries so "roles" no longer inherits the full rolebindings verb set while
keeping rolebindings' permissions unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 91ad1c42-40d0-4c82-a79e-155c546444c2

📥 Commits

Reviewing files that changed from the base of the PR and between ab0b389 and 6a270da.

📒 Files selected for processing (1)

• components/manifests/base/rbac/control-plane-clusterrole.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Narrow roles permissions instead of inheriting full rolebindings verbs.

Line 19 fixes the missing roles access, but Line 20 now gives roles the full rolebindings verb set (list/watch/update/patch/delete) even though the provided reconcile path shows get + create for roles. Split this rule so roles has only required verbs, and keep broader verbs on rolebindings.

Suggested RBAC tightening

 - apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles", "rolebindings"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  resources: ["roles"]
+  verbs: ["get", "create", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

As per coding guidelines, components/manifests/**/*.yaml: - RBAC must follow least-privilege.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- apiGroups: ["rbac.authorization.k8s.io"]
	resources: ["rolebindings"]
	resources: ["roles", "rolebindings"]
	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
	- apiGroups: ["rbac.authorization.k8s.io"]
	resources: ["roles"]
	verbs: ["get", "create", "delete"]
	- apiGroups: ["rbac.authorization.k8s.io"]
	resources: ["rolebindings"]
	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/base/rbac/control-plane-clusterrole.yaml` around lines
18 - 20, The current RBAC rule groups resources "roles" and "rolebindings" under
apiGroups: ["rbac.authorization.k8s.io"] and grants the full verb set; split
this into two rules: one rule for "roles" that only includes the minimal verbs
the reconciler requires (e.g., "get" and "create") and a separate rule for
"rolebindings" that retains the broader verbs
("list","watch","update","patch","delete" as needed). Update the resources/verbs
entries so "roles" no longer inherits the full rolebindings verb set while
keeping rolebindings' permissions unchanged.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-23 22:32 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-04-23 22:32 UTC · at 6a270dab4bd655c75bf3797fa116a5e9a243d336 · squash

This pull request spent 9 seconds in the queue, including 1 second running CI.

Required conditions to merge