Add opt-in RBAC management UI via rbacManagement flag

[dimitri-nicolo]

Description

Type: New feature (Calico Enterprise only). Addresses PMREQ-824.

Adds an opt-in RBAC management UI feature, toggled by a new Manager.spec.rbacManagement.enabled flag. When enabled, the operator renders the additional permissions and network access the UI needs to let an administrator manage role/group assignments from the Manager: maintaining a catalog of managed ClusterRoles, binding IdP groups to roles, and discovering groups from an external LDAP directory. The flag is zero-tenant only and defaults to false, so existing clusters are unaffected until an operator explicitly turns it on.

This should be merged because it's the operator-side enablement for the RBAC management UI; without it the UI's backend has no RBAC or egress to function, and gating keeps the feature entirely dormant (and its escalation-capable permissions un-granted) on clusters that don't use it.

What the flag turns on, by layer

• API (api/v1/manager_types.go) — new RBACManagement spec struct + nil-safe Manager.RBACManagementEnabled() helper; regenerated deepcopy and CRD. Disabling after enabling does not garbage-collect already-rendered RBAC objects — documented on the CRD surface as one-way.
• Render
  • calico-kube-controllers: enables the rbacsync controller stanza and its RBAC only when the flag is set (controller is dormant otherwise).
  • calico-manager role: adds the RBAC management UI permissions (full CRUD on managed RBAC objects, escalation-prevention coverage for tier/resource roles, Dex login-cache and IdP-LDAP/IdP-groups access) and opens egress to LDAP ports 389/636.
  • tigera-network-admin (apiserver): grants the bind/escalate-capable rule needed to assign managed roles via the UI — also gated on the flag so non-RBAC-UI clusters never receive these verbs.
  • Shared escalation-prevention rules live in a new pkg/render/rbac_management.go so the manager and kube-controllers roles stay aligned.

Why the installation and apiserver controllers read the Manager CR

The flag conceptually belongs to the Manager, but two of the resources it gates are not rendered by the manager controller:

• The rbacsync controller runs inside calico-kube-controllers, which is rendered by the installation controller.
• The tigera-network-admin ClusterRole is rendered by the apiserver controller.

So each of those controllers has to read Manager.spec.rbacManagement.enabled itself to make its gating decision. Both do so via a new nil-safe helper, utils.GetZeroTenantManagerOrNil, and pass the resulting *Manager (or nil) into their render config:

• Installation controller → KubeControllersConfiguration.Manager, consumed as cfg.Manager.RBACManagementEnabled() to decide whether to append the rbacsync controller + its RBAC.
• Apiserver controller → APIServerConfiguration.RBACManagementEnabled, used to decide whether to append the bind/escalate rule to tigera-network-admin.

The *Manager (rather than a pre-computed bool) is threaded through where convenient so the nil handling stays in the one helper — RBACManagementEnabled() returns false for a nil receiver, matching the opt-in, fail-safe-off intent.

Why "zero-tenant": in multi-tenant management clusters each tenant has its own namespaced Manager, fetched tenant-aware by the manager controller's existing GetManager. The installation and apiserver controllers are cluster-scoped and have no tenant namespace in scope, and rbacManagement is a zero-tenant-only feature — so the new helper deliberately does a cluster-scoped Get ({Name: "tigera-secure"}, no namespace). Its name is a guardrail: callers needing a tenant-scoped Manager must keep using GetManager; non-manager controllers reading zero-tenant-only flags use GetZeroTenantManagerOrNil. On a multi-tenant cluster the cluster-scoped Manager typically doesn't exist, so the helper returns nil and the feature stays off — the intended fail-safe behavior.

Why the new watches: both controllers also add a watch on the Manager CR. Without it, toggling rbacManagement.enabled would not re-trigger an installation/apiserver reconcile, so the rbacsync controller and the network-admin rule wouldn't appear or disappear until some unrelated event happened to re-run those controllers.

Components affected: apiserver (tigera-network-admin), manager (calico-manager role + network policy), kube-controllers (rbacsync), Manager CRD, installation & apiserver controllers.

Release Note

Added an opt-in `Manager.spec.rbacManagement.enabled` flag that enables the RBAC management UI. When enabled, the operator grants the additional RBAC and LDAP egress the UI requires; it defaults to disabled and is supported in zero-tenant management clusters only. Disabling the flag does not remove RBAC objects already created while it was enabled.

For PR author

• Tests for change.
• If changing pkg/apis/, run make gen-files
• If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

• Milestone set according to targeted release.
• Appropriate labels:
  • kind/bug if this is a bugfix.
  • kind/enhancement if this is a a new feature.
  • enterprise if this PR applies to Calico Enterprise only.

[rene-dekker]

Can't we move the GetManager func from manager_controller to the utils package and re-use it? There is no reason that apiserver should throw an error if manager is not present. We should however only fetch it when enterprise CRDs exist and we are not running in cloud.

[rene-dekker]

I see that you moved the func to here, but I also meant to delete this func entirely as well.

[rene-dekker]

I think the code is more clear if we delete this method, remove any notion of "zero tenant" from the code including comments (it's not yargon that is used today) and use the multitenant booleans explicitly at the caller. I think that will be more understandable to the average reader.

[rene-dekker]

I don't think we should leak cloud (internal) implications into the API comments. Our users don't need to be aware/think about those.

[rene-dekker]

What do you think of the following field names?

• Management: Enabled|Disabled
• UI: Enabled|Disabled

or values: Visible | Hidden

[rene-dekker]

nit: This number is not likely to hold up over time, best to keep the comment succinct.

[rene-dekker]

General comment: the AI generated comments in this code are a bit excessive. An extreme example may be the permissions. The func explains in comments twice which permissions are added + the code to add them. They are making the code less readable. And now we need to also keep the comments up to date when we add more. The operator code is not super complicated, I'd much rather have comments be only used if it adds critical information you couldn't get from simply reading the code (or have your ai read it for you).

[rene-dekker]

Could we be more specific with secrets and configmaps and bind them to the namespaces we actually need?

[dimitri-nicolo]

The named-resource access moved to a new Role + RoleBinding in calico-system, where tigera-idp-groups and tigera-idp-ldap-config actually live. The broad create is bound to that one namespace now.

Dropped the tigera-known-oidc-users rule (it lives in tigera-elasticsearch and is already granted by logstorage.go), and tightened the activation gate to !Tenant.MultiTenant() since the IdP resources are pinned to calico-system and the RBAC UI is zero-tenant-only anyway.

Is that what you meant by "bind them to the namespaces we actually need" — or were you pointing at something narrower?

[rene-dekker]

This one should be in a role.