From 54b2ec717dad6846286f0076c5a202bd347befdc Mon Sep 17 00:00:00 2001 From: Robb Hamilton Date: Wed, 1 Jul 2026 09:38:48 -0400 Subject: [PATCH] OCPBUGS-87201: Fix RoleBindings tab error for non-cluster-admin users When viewing the RoleBindings tab on a project details page, the console unconditionally fetched ClusterRoleBindings at cluster scope, causing a "Restricted access" error for users without cluster-admin permissions. Use an access review to check whether the user can list ClusterRoleBindings. When the check fails (non-cluster-admin), the ClusterRoleBinding watch is omitted, preventing the error. When the check succeeds (cluster-admin), ClusterRoleBindings are fetched regardless of whether a namespace is selected, preserving the "Cluster-wide RoleBindings" Kind filter option on the list page. (cherry picked from commit 214e15cbbb081cdfebb33067db417bbce56ba4be) Co-Authored-By: Claude Opus 4.6 --- frontend/public/components/RBAC/bindings.tsx | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/frontend/public/components/RBAC/bindings.tsx b/frontend/public/components/RBAC/bindings.tsx index c547cde08d7..d58bc1b5dba 100644 --- a/frontend/public/components/RBAC/bindings.tsx +++ b/frontend/public/components/RBAC/bindings.tsx @@ -345,6 +345,11 @@ export const RoleBindingsPage: React.FCC = ({ }`, }) => { const { t } = useTranslation(); + const canListClusterRoleBindings = useAccessReview({ + group: ClusterRoleBindingModel.apiGroup, + resource: ClusterRoleBindingModel.plural, + verb: 'list', + }); const watchResources = React.useMemo( () => mock @@ -356,13 +361,15 @@ export const RoleBindingsPage: React.FCC = ({ namespace, isList: true, }, - ClusterRoleBinding: { - kind: 'ClusterRoleBinding', - namespaced: false, - isList: true, - }, + ...(canListClusterRoleBindings && { + ClusterRoleBinding: { + kind: 'ClusterRoleBinding', + namespaced: false, + isList: true, + }, + }), }, - [mock, namespace], + [canListClusterRoleBindings, mock, namespace], ); const resources = useK8sWatchResources(watchResources);