Create role and role binding that will ensure user who requested NonAdminBackup has access to the VeleroBackup

[mpryc]

Idea is to create privilege for the user who created NonAdminBackup that resulted with VeleroBackup creation.

K8s doesn't allow to obtain information about the requester (owner) of the NonAdminBackup within the Reconcile loop.

In the current implementation we know:

• About the name of the VeleroBackup that will be created (we own the function to calculate that name)
• The namespace in which VeleroBackup object will get created
• The NonAdminBackup that was used to create VeleroBackup

In order to add permissions for the user who requested VeleroBackup via NonAdminBackup we need to create Role and RoleBinding within the namespace where the VeleroBackup will live, below is an example of viewer Role that gives explicit permissions to the nab-nacproject-c3499c2729730a object. Then the RoleBinding which adds that Role to the user nacuser. Everything happens in the openshift-adp namespece where currently VeleroBackup objects are created:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: openshift-adp
  name: backup-viewer
rules:
- apiGroups: ["velero.io"]
  resources: ["backups"]
  resourceNames: ["nab-nacproject-c3499c2729730a"]
  verbs: ["get", "list", "watch"]

kind: RoleBinding
metadata:
  name: backup-viewer-binding
  namespace: openshift-adp
subjects:
- kind: User
  name: nacuser
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: backup-viewer
  apiGroup: rbac.authorization.k8s.io

In order to achieve this in automated fashion we need to create RoleBinding and possibly as well Role in advance before our original VeleroBackup is created as admission Webhook that is aware of the user who is requesting VeleroBackup via NonAdminBackup and then associate the VeleroBackup as an owner, so the Role and RoleBinding is cleaned up after VeleroBackup is removed.

[mpryc]

@weshayutin @mateusoliveira43 @shubham-pampattiwar FYI currently working on this part, let me know if there are any suggestion to the above design.