Add RBAC support for cross-namespace secret reading

[rohitrsh]

Tracking issue

Related to #6911

Why are the changes needed?

The Databricks Spark connector now supports Add multi-tenant Databricks token support via cross-namespace K8S secrets, allowing the connector to read Databricks tokens from Kubernetes secrets in workflow namespaces. This enables multi-tenant Databricks access, allowing each Flyte project to use its own Databricks workspace/token.

For this feature to work, the connector's ServiceAccount needs get permission on secrets across namespaces. Currently, the flyteconnector Helm chart creates a ServiceAccount but no RBAC resources (ClusterRole / ClusterRoleBinding), so the connector cannot read secrets from workflow namespaces.

What changes were proposed in this pull request?

New file: templates/connector/rbac.yaml

Adds an optional ClusterRole and ClusterRoleBinding for the flyteconnector ServiceAccount:

• ClusterRole Configurable rules via values.yaml, defaulting to get on secrets
• ClusterRoleBinding Binds the ClusterRole to the flyteconnector ServiceAccount
• Guarded Only created when rbac.enabled: true (default: false for backward compatibility)
• Follows existing patterns Uses the same naming and label conventions as the rest of the chart

# templates/connector/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
rules:
  {{- toYaml .Values.rbac.rules | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "flyteconnector.name" . }}
  namespace: {{ template "flyte.namespace" . }}

Updated: values.yaml

Added rbac configuration block:

# -- RBAC configuration for flyteconnector
rbac:
  # -- Should RBAC resources (ClusterRole/ClusterRoleBinding) be created
  enabled: false
  # -- Rules for the ClusterRole
  rules:
    # Allow reading secrets across namespaces (for per-project Databricks token resolution)
    - apiGroups:
        - ""
      resources:
        - secrets
      verbs:
        - get

Key design decisions:

• enabled: false by default Opt-in to avoid breaking existing deployments that don't need cross-namespace secret access
• Only get verb Least privilege; no list or watch
• Rules are configurable Operators can customise via values.yaml overrides
• No resourceNames restriction Supports both the default databricks-token and custom secret names

How was this patch tested?

1. Template rendering verified with helm template:

helm template ml-flyte charts/flyteconnector/ \
  --set rbac.enabled=true \
  --show-only templates/connector/rbac.yaml

2. Verified RBAC disabled by default no ClusterRole/ClusterRoleBinding rendered when rbac.enabled is omitted

3. Verified cross-namespace secret access after applying:

kubectl auth can-i get secrets \
  --as=system:serviceaccount:flyte:flyteconnector \
  -n <workflow-namespace>

4. End-to-end tested with the Databricks per-project token feature connector successfully reads namespace-specific tokens

Setup process

To enable Databricks per-project token support:

# values.yaml override
rbac:
  enabled: true

Then create secrets in workflow namespaces:

kubectl create secret generic databricks-token \
  --from-literal=token='dapi_your_token' \
  --namespace=<workflow-namespace>

Screenshots

N/A (infrastructure-only change)

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

• flytekit PR: Multi-tenant Databricks token support

Docs link

N/A

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.56%. Comparing base (5c23907) to head (1a72b74).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6919   +/-   ##
=======================================
  Coverage   58.55%   58.56%           
=======================================
  Files         701      701           
  Lines       41100    41100           
=======================================
+ Hits        24068    24069    +1     
+ Misses      14911    14910    -1     
  Partials     2121     2121           

Flag	Coverage Δ
unittests-datacatalog	53.51% <ø> (ø)
unittests-flytecopilot	43.06% <ø> (ø)
unittests-flytectl	64.02% <ø> (ø)
unittests-flyteidl	75.71% <ø> (ø)
unittests-flyteplugins	60.15% <ø> (ø)
unittests-flytepropeller	53.65% <ø> (ø)
unittests-flytestdlib	63.29% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[machichima]

Should we also use {{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} here?

[rohitrsh]

Good catch, updated the ClusterRole to use {{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} as well, matching the pattern in flyte-core/propeller/rbac.yaml. Both ClusterRole and ClusterRoleBinding now gracefully fall back to v1beta1 on older clusters.

[machichima]

LGTM! Thank you!

[machichima]

I think the failing test is unrelated to this PR, it also failed on other PRs

[welcome]

Congrats on merging your first pull request! 🎉