allow rbac rolebindings to be disabled

[tomhaynes]

allow rbac rolebindings to be disabled

• this allows for external configuration of these, for instance for more locked-down permissioning

[Copilot]

Pull request overview

This PR introduces a configuration option to disable RBAC ClusterRole and ClusterRoleBinding resources, allowing users to manage RBAC permissions externally for more controlled security configurations.

Key Changes:

• Added rbac.clusterRoleEnabled configuration flag (defaults to true)
• Modified RBAC templates to conditionally render based on the new flag
• Added comprehensive test coverage for the new functionality

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
helm/kagent/values.yaml	Adds new RBAC configuration section with clusterRoleEnabled toggle
helm/kagent/templates/rbac/clusterrole.yaml	Wraps ClusterRole resource with conditional rendering based on rbac.clusterRoleEnabled
helm/kagent/templates/rbac/clusterrolebinding.yaml	Wraps ClusterRoleBinding resource with conditional rendering based on rbac.clusterRoleEnabled
helm/kagent/tests/rbac_test.yaml	Adds test cases to verify conditional rendering of RBAC resources

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dimetron]

if .Values.rbac.clusterRoleEnabled -> can we create namespace level rbac instead ?

[tomhaynes]

@dimetron yes this is what I'm doing locally.. with this I thought it might be easier to just disable rbac management rather than trying to pre-suppose how others want it configured.

[EItanya]

@dimetron yes this is what I'm doing locally.. with this I thought it might be easier to just disable rbac management rather than trying to pre-suppose how others want it configured.

So I think it may be helpful for us to understand how you're configuring Namespaced RBAC, and then maybe we can design a system for that as a complement to cluster scoped.