Use a more fine-grained RBAC check in oauth-proxy

[israel-hdez]

Motivation

ServingRuntimes on a namespace need to be protected individually, rather than allowing/rejecting access to all deployed runtimes in a namespace in conjunction.

Modifications

In oauth-proxy, instead of checking for GET over Kubernetes Services, do a more fine-grained check over ServingRuntimes: test that the user can GET the ServingRuntime associated with the deployment. This will allow protecting ServingRuntimes individually.

Result

The oauth-proxy will now allow access only if the provided token has GET privileges over a specific ServingRuntime.

PR checklist

Checklist items below are applicable for development targeted to both fast and stable branches/tags

• [ ] Unit tests pass locally
• [ ] FVT tests pass locally
• [ ] If the PR adds a new container image or updates the tag of an existing image (not build within cpaas), is the corresponding change made in live-builder and cpaas-midstream to add/update the image tag in the operator CSV? Link the PRs if applicable

Checklist items below are applicable for development targeted to both fast and stable branches/tags

• [ ] Tested modelmesh serving deployment with odh-manifests and ran odh-manifests-e2e tests locally

[openshift-ci[bot]]

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: israel-hdez

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/opendatahub-io/modelmesh-serving/blob/main/OWNERS)~~ [israel-hdez] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[israel-hdez]

Closing PR. It does not work.