fix(operator): add mlflow.kubeflow.org RBAC to operator ClusterRole

[jeremyeder]

Summary

• Add mlflow.kubeflow.org/experiments (get, list, update) to the agentic-operator ClusterRole
• The operator unconditionally grants these permissions in per-session Roles (sessions.go:2557), but its own ClusterRole lacked them
• K8s RBAC escalation prevention blocked every session Role creation on vteam-stage

Test plan

• Deploy to vteam-stage and confirm sessions start without the RBAC escalation error
• Verify operator logs no longer show user "system:serviceaccount:ambient-code:agentic-operator" is attempting to grant RBAC permissions not currently held

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Extended operator permissions to manage MLflow Experiment resources with get, list, and update capabilities.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1a6afb95-0da2-4286-9b0e-c69271ed7e91

📥 Commits

Reviewing files that changed from the base of the PR and between 3dd8436 and b0f5b83.

📒 Files selected for processing (1)

• components/manifests/base/rbac/operator-clusterrole.yaml

---

📝 Walkthrough

Walkthrough

The agentic-operator ClusterRole in the RBAC manifest was extended with a new permission rule. The rule grants get, list, and update operations on MLflow Experiment custom resources in the mlflow.kubeflow.org API group.

Changes

Cohort / File(s)	Summary
RBAC Configuration components/manifests/base/rbac/operator-clusterrole.yaml	Added RBAC rule granting get, list, update verbs on experiments resource in mlflow.kubeflow.org API group for the agentic-operator ClusterRole.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(operator): description) and accurately summarizes the main change: adding RBAC permissions for mlflow.kubeflow.org to the operator ClusterRole.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	Static RBAC manifest addition with zero performance implications. No algorithmic, caching, looping, or API call changes introduced.
Security And Secret Handling	✅ Passed	PR modifies only RBAC manifest with no hardcoded secrets, tokens, credentials, or sensitive data. Change is minimal, declarative, and follows least-privilege principles.
Kubernetes Resource Safety	✅ Passed	RBAC addition is safe and follows Kubernetes security best practices with specific non-wildcard permissions on concrete resources.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}