add a role to fix clusterrolebindings for groups and remove kubeadmin secret

p0f/operators/roles/setup-authz/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# Variables that are usually overridden.
+kubeadmin_config: "tmp/kubeconfig-ocp4"
+...

p0f/operators/roles/setup-authz/tasks/create-crb.yml

@@ -0,0 +1,21 @@
+---
+- name: Create cluster role bindings.
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: rbac.authorization.k8s.io/v1
+    kind: clusterrolebinding
+    name: group-{{ group }}-is-{{ item }}
+    resource_definition:
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: "{{ item }}"
+      subjects:
+      - apiGroup: rbac.authorization.k8s.io
+        kind: Group
+        name: "{{ group }}"
+  loop: "{{ openshift.role_assignments[group] }}"
+  loop_control:
+    label: "{{ group }} -> {{ item }}"
+...

p0f/operators/roles/setup-authz/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+# Ensures groups are associated with relevant cluster roles.
+#
+# Required variables (some are reused from deploy-rhbk role):
+#
+# openshift:
+#   role_assignments:   a dictionary of group / list-of-roles mappings
+#     groupname:
+#       - role1
+#       - role2
+#   remove_kubeadmin:   whether to remove kubeadmin secret (make sure someone
+#                       has cluster-admin rights before doing this)
+#
+# Optional variables:
+#
+#   kubeadmin_config          the administrator kubeconfig file (tmp/kubeconfig-ocp4)
+#
+- name: Iterate over defined groups in role_assignments
+  ansible.builtin.include_tasks:
+    file: tasks/create-crb.yml
+  loop: "{{ openshift.role_assignments.keys() }}"
+  loop_control:
+    loop_var: group
+
+- name: Remove kubeadmin secret if requested
+  kubernetes.core.k8s:
+    kubeconfig: "{{ kubeadmin_config }}"
+    validate_certs: no
+    api_version: v1
+    kind: secret
+    namespace: kube-system
+    name: kubeadmin
+    state: absent
+  when: openshift.remove_kubeadmin | default(no)
+...