Can't define users with helm install permissions for a specific namespace

What happened?

I am trying to setup a user that will have permissions to run Helm install/upgrade/delete on a specific namespace. (For my CI/CD system.) For example, if the user tries to run a helm upgrade --install with --namespace=dev then it works just fine. But if they try --namespace=prod it should fail.

however, i couldn’t make it work with rbac-manager and getting error that the user need higher priviledges error message is: "cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope"

This is the setup im using:

- name: dev-user
    subjects:
      - kind: User
        name: dev@example.com
    clusterRoleBindings:
      - clusterRole: edit
    roleBindings:
      - clusterRole: admin
        namespaceSelector:
          matchExpressions:
            - { key: team, operator: In, values: [ dev] }

if i change in clusterRoleBindings clusterRole to: cluster-admin, it works, but no restriction to a specific namespace. command can run on any namespace

What did you expect to happen?

helm upgrade/install runs ok on namespace with label "dev" helm upgrade/install fails on namespace with label "prod"

How can we reproduce this?

helm install awx-operator awx-operator/awx-operator -n dev-namespace Error: INSTALLATION FAILED: failed to install CRD crds/customresourcedefinition-awxbackups.awx.ansible.com.yaml: 1 error occurred:

customresourcedefinitions.apiextensions.k8s.io is forbidden: User "dev@example.com" cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

Version

awx-operator/awx-operator

Search

[X] I did search for other open and closed issues before opening this.

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Additional context

No response

FairwindsOps / rbac-manager