The RBAC Permissions Operator is a specialized Kubernetes operator designed for the OpenShift Dedicated platform. Its primary function is to streamline and automate the management of Role-Based Access Control (RBAC) permissions across namespaces within an OpenShift cluster. This operator addresses the challenge of consistently applying and maintaining RBAC policies, particularly for groups requiring access to multiple projects or namespaces.

The core purpose of the operator is to simplify the process of granting permissions, ensuring that the correct RoleBindings are assigned to namespaces based on predefined rules. This is achieved through two primary controllers: the Namespace Controller and the SubjectPermission Controller. The Namespace Controller actively monitors the creation of new namespaces. When a new namespace is created, it evaluates the namespace against regular expressions defined in `NamespacesAllowedRegex` and `NamespacesDeniedRegex`. If the namespace passes these checks, the controller automatically creates the necessary RoleBindings, granting the appropriate permissions to the designated subjects (e.g., users or groups).

The SubjectPermission Controller is responsible for managing the creation and updates of ClusterRoleBindings and RoleBindings based on changes to SubjectPermission custom resources (CRs). When a new SubjectPermission CR is created or an existing one is modified, this controller examines the specified subject (e.g., a group), the desired cluster role, and the namespaces to which the permissions should apply. It then creates or updates the corresponding ClusterRoleBindings and RoleBindings to reflect the desired access configuration. This controller ensures that the permissions are correctly applied across the cluster, allowing for both cluster-wide and namespace-specific access control.

A key feature of the operator is its ability to filter namespaces using regular expressions. The `NamespacesAllowedRegex` and `NamespacesDeniedRegex` parameters provide a flexible mechanism for defining which namespaces should receive RoleBinding assignments. This allows administrators to precisely control the scope of permissions, preventing unintended access to sensitive namespaces like those related to infrastructure or cluster administration. This feature is crucial for maintaining security and preventing accidental privilege escalation.

The operator utilizes a custom resource definition (CRD) called `SubjectPermission`. This CRD defines the structure for specifying the permissions to be granted. The `SubjectPermission` CR includes details such as the subject's kind (e.g., Group), the subject's name, the cluster roles to be assigned, and regular expressions for allowed and denied namespaces. This configuration-driven approach makes it easy to manage and update permissions across the cluster. The operator's design is centered around automation and consistency. By automating the creation and management of RBAC policies, the operator reduces the risk of human error and ensures that permissions are consistently applied across all namespaces. This is particularly important in large and complex OpenShift environments where manual management of RBAC policies would be time-consuming and prone to errors. The operator's workflow, as depicted in the documentation, illustrates the interaction between the controllers and the custom resources, providing a clear understanding of how permissions are managed.