Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

feat(infra): extend the kubectl view tier with read-only infra resources

GitHub issue · Closed

Metadata
Source
tuist/tuist #11361
Updated
Jun 24, 2026
Domains
Compute
Details

What

Adds a tuist-view-infra-read aggregated ClusterRole to the Pomerium access-tiers chart that extends the read-only view tier with get/list/watch on resources the upstream view role omits:

  • nodes (core)
  • CAPI machines: cluster.x-k8s.io + infrastructure.cluster.x-k8s.io (e.g. scalewayelasticmetalmachines, machinedeployments, machines)
  • Kura CRs: kura.tuist.dev (kurainstances, kuragateways)
  • customresourcedefinitions

It aggregates into view via the rbac.authorization.k8s.io/aggregate-to-view: "true" label, so both tuist-admins and tuist-eng inherit it with no binding change.

Why

The view tier (every member plus their agents) binds to the upstream view ClusterRole, which only covers core namespaced resources. Observing an infra rollout (an Elastic Metal node joining, per-account Kura cache instances going active, fleet/machine state) requires reading cluster-scoped and custom resources, all of which currently return 403. This surfaced while watching the macOS runner-cache rollout: server pods and kura namespace pods were readable, but nodes, scalewayelasticmetalmachines, machinedeployments, and kurainstances all returned Forbidden.

Consistent with the cluster-access design in infra/AGENTS.md: agent containment is about blocking mutation, not restricting reads. Every write is still 403.

Safety

  • Strictly get/list/watch. No write verbs.
  • No secrets rule, so the view tier’s deliberate Secret exclusion (MASTER_KEY, DATABASE_URL, ESO-synced secrets) is untouched.
  • None of the added resource kinds embed secret data: CAPI and Kura reference Secrets by name, never inline. bootstrap.cluster.x-k8s.io / controlplane.cluster.x-k8s.io are deliberately left out, since their configs can carry inline join material.

Rollout

pomerium-deployment.yml triggers on push to main for infra/helm/pomerium/** and rolls staging then canary then production, so merging applies it to all three clusters automatically.

Validation

  • helm template renders the role with the aggregate-to-view label and read-only rules.
  • Updated infra/AGENTS.md read-access section to reflect the extended view tier.

🤖 Generated with Claude Code

Comments

No GitHub comments yet.