From 2a508c4f29a87afa8fa32145bd5cbb6414bf3f70 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Mon, 13 Oct 2025 15:15:39 +0200
Subject: [PATCH] [api] Fix RBAC for listing of TenantNamespaces and handle
 system:masters

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/system/cozystack-api/templates/rbac.yaml | 3 +++
 pkg/registry/core/tenantnamespace/rest.go         | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/packages/system/cozystack-api/templates/rbac.yaml b/packages/system/cozystack-api/templates/rbac.yaml
index 1a169d86..e4b3aca9 100644
--- a/packages/system/cozystack-api/templates/rbac.yaml
+++ b/packages/system/cozystack-api/templates/rbac.yaml
@@ -6,6 +6,9 @@ rules:
 - apiGroups: [""]
   resources: ["namespaces", "secrets"]
   verbs: ["get", "watch", "list"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["get", "watch", "list"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create", "update", "patch", "delete"]
diff --git a/pkg/registry/core/tenantnamespace/rest.go b/pkg/registry/core/tenantnamespace/rest.go
index a0b68357..f5196cad 100644
--- a/pkg/registry/core/tenantnamespace/rest.go
+++ b/pkg/registry/core/tenantnamespace/rest.go
@@ -272,6 +272,9 @@ func (r *REST) filterAccessible(
 	for _, group := range u.GetGroups() {
 		groups[group] = struct{}{}
 	}
+	if _, ok = groups["system:masters"]; ok {
+		return names, nil
+	}
 	if _, ok = groups["cozystack-cluster-admin"]; ok {
 		return names, nil
 	}