revert(authpolicy): remove openshift-user-allowed from base auth-policy

liangwen12year · liangwen12year · commit a21fb10fcb1b · 2026-04-21T10:30:10.000-04:00
Remove the openshift-user-allowed authorization rule that was added in 7a81db4 but not reverted with the other auth-policy changes. The base auth-policy should match main — functional OIDC changes belong in the OIDC patch template only. Signed-off-by: Wen Liang <liangwen12year@gmail.com>
diff --git a/deployment/base/maas-api/policies/auth-policy.yaml b/deployment/base/maas-api/policies/auth-policy.yaml
@@ -61,21 +61,6 @@ spec:
               operator: eq
               value: "true"
         priority: 0
-      # OpenShift / Kubernetes user tokens: Kuadrant requires every applicable authz rule to
-      # allow. api-key-valid is skipped for non-sk-oai tokens; without this rule those
-      # requests were denied with HTTP 403 after successful TokenReview.
-      # Require auth.identity.user.username (TokenReview / kubernetes userinfo) so external
-      # OIDC JWT flows (oidc-client-bound) are not blocked when that field is absent.
-      openshift-user-allowed:
-        when:
-          - predicate: '!request.headers.authorization.startsWith("Bearer sk-oai-")'
-          - predicate: 'has(auth.identity.user.username)'
-        patternMatching:
-          patterns:
-            - selector: auth.identity.user.username
-              operator: neq
-              value: ""
-        priority: 1
     response:
       success:
         headers:
