From fce8fae08f54eac33f3c4b1a15d3d9ceb230fe75 Mon Sep 17 00:00:00 2001 From: user Date: Thu, 23 Apr 2026 18:20:39 -0400 Subject: [PATCH] fix(manifests): add roles permission to control-plane ClusterRole MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The control-plane's ensureControlPlaneRBAC creates a Role named ambient-control-plane-project-manager in each project namespace, but the ClusterRole only granted access to rolebindings, not roles. This caused "forbidden: cannot get resource roles" errors on project reconciliation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- components/manifests/base/rbac/control-plane-clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/manifests/base/rbac/control-plane-clusterrole.yaml b/components/manifests/base/rbac/control-plane-clusterrole.yaml index c2cec298e..6b54117e9 100644 --- a/components/manifests/base/rbac/control-plane-clusterrole.yaml +++ b/components/manifests/base/rbac/control-plane-clusterrole.yaml @@ -16,7 +16,7 @@ rules: verbs: ["get", "list", "watch", "create", "update", "patch"] # RoleBindings (reconcile group access from ProjectSettings) - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] + resources: ["roles", "rolebindings"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # Session runner resources (provision/deprovision per-session workloads in project namespaces) - apiGroups: [""]