From 2d77dea0d969b635198c2932848f2bb94ce2f31e Mon Sep 17 00:00:00 2001
From: Apoorva Jagtap <apoorvajagtap4@gmail.com>
Date: Sat, 22 Feb 2025 22:34:58 +0530
Subject: [PATCH 1/2] Replaces Role with ClusterRole for multi_arch strategy

Signed-off-by: Apoorva Jagtap <apoorvajagtap4@gmail.com>
---
 docs/buildstrategies.md                                      | 5 ++---
 ..._cr.yaml => clusterrole_multiarch_native_buildah_cr.yaml} | 2 +-
 .../rolebinding_multiarch_native_buildah_cr.yaml             | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)
 rename samples/v1beta1/buildstrategy/multiarch-native-buildah/{role_multiarch_native_buildah_cr.yaml => clusterrole_multiarch_native_buildah_cr.yaml} (95%)

diff --git a/docs/buildstrategies.md b/docs/buildstrategies.md
index ce680d4502..064a7f971c 100644
--- a/docs/buildstrategies.md
+++ b/docs/buildstrategies.md
@@ -116,9 +116,8 @@ coordinate with the orchestrator pod.
 
 When all the builds are completed, the orchestrator pod will compose a manifest-list image and push it to the target registry.
 
-The service account that runs the strategy must be bound to a role able to `create`, `list`, `get` and `watch` 
-`batch/v1` `jobs` and `core/v1` `pods` resources. 
-The role also needs to allow the `create` verb for the `pods/exec` resource.
+The service account that runs the strategy must be bound to a ClusterRole able to `create`, `list`, `get` and `watch` `batch/v1` `jobs` and `core/v1` `pods` resources. 
+The ClusteRole also needs to allow the `create` verb for the `pods/exec` resource.
 Finally, when running in OKD or OpenShift clusters, the service account must be able to use the 
 `privileged` SecurityContextConstraint.
 
diff --git a/samples/v1beta1/buildstrategy/multiarch-native-buildah/role_multiarch_native_buildah_cr.yaml b/samples/v1beta1/buildstrategy/multiarch-native-buildah/clusterrole_multiarch_native_buildah_cr.yaml
similarity index 95%
rename from samples/v1beta1/buildstrategy/multiarch-native-buildah/role_multiarch_native_buildah_cr.yaml
rename to samples/v1beta1/buildstrategy/multiarch-native-buildah/clusterrole_multiarch_native_buildah_cr.yaml
index ddca2d70e8..72c284553d 100644
--- a/samples/v1beta1/buildstrategy/multiarch-native-buildah/role_multiarch_native_buildah_cr.yaml
+++ b/samples/v1beta1/buildstrategy/multiarch-native-buildah/clusterrole_multiarch_native_buildah_cr.yaml
@@ -1,4 +1,4 @@
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: multiarch-native-buildah-pipeline
diff --git a/samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml b/samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml
index 5d0f47c8e0..b206f91d98 100644
--- a/samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml
+++ b/samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml
@@ -4,7 +4,7 @@ metadata:
   name: multiarch-native-buildah-pipeline
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: multiarch-native-buildah-pipeline
 subjects:
   - kind: ServiceAccount

From 3ca961e61630d6ebae1e21432b7cb3d36c745c4a Mon Sep 17 00:00:00 2001
From: Apoorva Jagtap <apoorvajagtap4@gmail.com>
Date: Tue, 25 Feb 2025 02:53:25 +0530
Subject: [PATCH 2/2] Makes ServiceAccount configurable while applying
 roleBinding

Signed-off-by: Apoorva Jagtap <apoorvajagtap4@gmail.com>
---
 docs/buildstrategies.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/docs/buildstrategies.md b/docs/buildstrategies.md
index 064a7f971c..82c82b6bbb 100644
--- a/docs/buildstrategies.md
+++ b/docs/buildstrategies.md
@@ -127,13 +127,26 @@ To install the cluster-scoped strategy, use:
 
 ```sh
 kubectl apply -f samples/v1beta1/buildstrategy/multiarch-native-buildah/buildstrategy_multiarch_native_buildah_cr.yaml
+kubectl apply -f samples/v1beta1/buildstrategy/multiarch-native-buildah/clusterrole_multiarch_native_buildah_cr.yaml
 ```
 
 For each namespace where you want to use the strategy, you also need to apply the RBAC rules that allow the service
 account to run the strategy. If the service account is named `pipeline` (default), you can use:
 
 ```sh
-kubectl apply -n <namespace> -f  samples/v1beta1/buildstrategy/multiarch-native-buildah/
+kubectl apply -n <namespace> -f samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml
+```
+
+_note_: If `pipeline` service account isn't available in your environment (most likely when using a kind cluster), replace the subjects[0].name to `default`.
+
+```sh
+sed 's/name: pipeline/name: default/' samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_cr.yaml| kubectl apply -f -
+```
+
+If you are on OKD platform, apply the following RBAC to use the 
+`privileged` SecurityContextConstraint:
+```sh
+kubectl apply -f samples/v1beta1/buildstrategy/multiarch-native-buildah/rolebinding_multiarch_native_buildah_scc_okd_cr.yaml
 ```
 
 ### Parameters