From dee1ae14e40eff74447798c55e6021d38203aaef Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Sat, 13 Jun 2026 12:06:18 -0700
Subject: [PATCH] Add the portal-reader ClusterRole addon
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

portal (the ops portal) reaches managed clusters with its per-account spoke IAM
role, mapped to the "portal-reader" Kubernetes group via an EKS access entry
(landing-zone fleet/aws/cluster-stack). This binds that group to the minimal read
portal needs: the eks-agent-platform Tenant/Platform CRs (its tenant-inventory
watcher) + nodes (best-effort node count in the connection test). No Secrets, no
workloads — the least-privilege replacement for the broad AmazonEKSAdminViewPolicy
the access entry would otherwise carry.

A pure-Kustomize bootstrap addon (base + dev/staging/production overlays) applied
to every cluster by addons-bootstrap-kustomize, so each spoke self-reconciles it
via its spoke-local ArgoCD.
---
 .../portal-reader/base/kustomization.yaml     |  5 +++
 .../portal-reader/base/portal-reader.yaml     | 31 +++++++++++++++++++
 .../overlays/dev/kustomization.yaml           |  5 +++
 .../overlays/production/kustomization.yaml    |  5 +++
 .../overlays/staging/kustomization.yaml       |  5 +++
 .../addons-bootstrap-kustomize.yaml           |  4 +++
 6 files changed, 55 insertions(+)
 create mode 100644 addons/bootstrap/portal-reader/base/kustomization.yaml
 create mode 100644 addons/bootstrap/portal-reader/base/portal-reader.yaml
 create mode 100644 addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml
 create mode 100644 addons/bootstrap/portal-reader/overlays/production/kustomization.yaml
 create mode 100644 addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml

diff --git a/addons/bootstrap/portal-reader/base/kustomization.yaml b/addons/bootstrap/portal-reader/base/kustomization.yaml
new file mode 100644
index 0000000..aaa7921
--- /dev/null
+++ b/addons/bootstrap/portal-reader/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - portal-reader.yaml
diff --git a/addons/bootstrap/portal-reader/base/portal-reader.yaml b/addons/bootstrap/portal-reader/base/portal-reader.yaml
new file mode 100644
index 0000000..fe2f38a
--- /dev/null
+++ b/addons/bootstrap/portal-reader/base/portal-reader.yaml
@@ -0,0 +1,31 @@
+# Read access for the portal ops portal. portal's per-account spoke IAM role is
+# mapped to the "portal-reader" group via an EKS access entry (kubernetes_groups,
+# wired in landing-zone fleet/aws/cluster-stack). This binds that group to the
+# minimal read portal needs on a managed cluster: the eks-agent-platform
+# Tenant/Platform CRs (its tenant-inventory watcher) and nodes (best-effort node
+# count in the connection test). No Secrets, no workloads — strictly the surface
+# portal reads, replacing the broad AmazonEKSAdminViewPolicy.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: portal-reader
+rules:
+  - apiGroups: ["platform.nanohype.dev"]
+    resources: ["tenants", "platforms"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portal-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: portal-reader
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: portal-reader
diff --git a/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/applicationsets/addons-bootstrap-kustomize.yaml b/applicationsets/addons-bootstrap-kustomize.yaml
index 0711e0f..496a6d3 100644
--- a/applicationsets/addons-bootstrap-kustomize.yaml
+++ b/applicationsets/addons-bootstrap-kustomize.yaml
@@ -25,6 +25,10 @@ spec:
                   namespace: kube-system
                   path: addons/bootstrap/priority-classes
                   syncWave: "2"
+                - appName: portal-reader
+                  namespace: kube-system
+                  path: addons/bootstrap/portal-reader
+                  syncWave: "2"
   template:
     metadata:
       name: '{{ .appName }}'