feat(infra): add RBAC read to the view-tier infra-read role

What

Extends tuist-view-infra-read (the aggregate-to-view ClusterRole added in #11361) with get/list/watch on clusterroles, clusterrolebindings, roles, rolebindings.

Why

A canary deploy failed with helm --wait reporting ClusterRole//tuist-tuist-kura-controller-node-reads not ready. status: NotFound (among others). Confirming whether that was a real apply failure or a kstatus/rollback artifact required reading the ClusterRole — which the upstream view role hides (RBAC is excluded as an anti-recon measure). I had to infer it from controller logs instead (no forbidden errors → the RBAC was fine, it was a rollback artifact). Read access to RBAC objects makes that diagnosis direct.

Safety

This is the one deliberate departure from upstream view’s shape: it exposes the authorization graph. Accepted because:

• It is strictly get/list/watch (read-only) and adds no secrets rule, so the view tier’s deliberate Secret exclusion is untouched.
• The cluster-access design (infra/AGENTS.md) contains agents on mutation, not reads. Every write is still 403. Reading the grant list does not enable escalation.
• For a small trusted team where read-only is already blessed, being able to debug a misbound/NotFound RBAC object during a deploy is worth more than hiding the authz graph from a read-only identity.

Rollout

pomerium-deployment.yml triggers on push to main for infra/helm/pomerium/** and rolls staging → canary → production, so merging applies it to all three clusters automatically.

🤖 Generated with Claude Code

No GitHub comments yet.