https://issues.redhat.com/browse/ACM-23588 validate spec for cluster permissions

governance/template_functions.adoc

@@ -152,7 +152,7 @@ View the following example of the configuration policy that enforces a Kubernete
 apiVersion: policy.open-cluster-management.io/v1
 kind: ConfigurationPolicy
 metadata:
-  name: demo-clusterclaims (1)
+  name: demo-clusterclaims <1>
 spec:
   object-templates:
   - objectDefinition:
@@ -161,7 +161,7 @@ spec:
       data:
         something: '{{ default "empty" (lookupClusterClaim "possibly.nonexistent") }}'
 ----
-<1>  When the `possibly.nonexistent` `ClusterClaim` is found, its value gets used in the ConfigMap. If the `ClusterClaim` does not exist, `empty` gets used instead through the `default` function that is provided by Sprig. 
+<1> When the `possibly.nonexistent` `ClusterClaim` is found, its value gets used in the ConfigMap. If the `ClusterClaim` does not exist, `empty` gets used instead through the `default` function that is provided by Sprig. 
 
 [#lookup-func]
 === _lookup_

release_notes/acm_new.adoc

@@ -62,6 +62,8 @@ For new features that are related to {mce-short}, see link:../clusters/release_n
 
 For cluster management with {acm-short}, see the following new features and enhancements:
 
+- You can now enable the `validate` specification to check the accuracy of your `Role` and `ClusterRole` resources. For more information, see link:../secure_clusters/cluster_val.adoc#enable-cluster-val[Enabling validation for cluster permissions].
+
 - You can now enable role-based access control for cluster management to create multiple cluster role bindings for your `ClusterPermission` resources. For more details, see link:../secure_cluster/rbac_implement_rhacm.adoc[Implementing role-based access control].
 
 

secure_clusters/cluster_val.adoc

@@ -0,0 +1,52 @@
+[#enable-cluster-val]
+= Enabling validation for cluster permissions
+
+Enable the `validate` specification within your `ClusterPermission` resources to check the accuracy of your `Role` and `ClusterRole` resources.
+
+*Required access:* Cluster administrator
+
+Complete the following steps:
+
+. Create a `ClusterPermission` resource where you set the `validate` specification to `true`.Define the `roleBindings` and `clusterRoleBinding` that you want to validate.  
++
+Your YAML file might resemble the following example where you configure the `ClusteerRole` to validate the `edit` `ClusterRole` for the `sa-sample-existing` `ServiceAccount`, and the `view` `ClusterRole` for `Group1`:
+
++
+[source,yaml]
+----
+apiVersion: rbac.open-cluster-management.io/v1alpha1
+kind: ClusterPermission
+metadata:
+  name: clusterpermission-validate-sample
+spec:
+  validate: true
+  roleBindings:
+    - name: default-existing
+      namespace: default
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: edit
+      subject:
+        namespace: openshift-gitops
+        kind: ServiceAccount
+        name: sa-sample-existing
+  clusterRoleBinding:
+      name: crb-cluster1-argo-app-con-3-existing
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: view
+      subject:
+        apiGroup: rbac.authorization.k8s.io
+        kind: Group
+        name: group1
+----
+
+. Apply your `clusterpermission-validate-sample` `ClusterPermission` by running the following command:
+
++
+[source,bash]
+----
+oc apply clusterpermission-validate-sample.yaml
+----

secure_clusters/main.adoc

@@ -10,4 +10,5 @@ include::fine_grain_rbac_cli.adoc[leveloffset=+2]
 include::certificates.adoc[leveloffset=+2]
 include::cert_manage.adoc[leveloffset=+2]
 include::cert_byo.adoc[leveloffset=+2]
+include::cluster_val.adoc[leveloffset=+2]