Use-case is the following:

 - we provide egress functionality to customers in an automated way (egress: call external services either on the internet or in core it/company internal network, and this per tenant) 

- customer creates configmap with configuration, a controller listens to configmap changes and deploys a proxy (squid or haproxy) to a shadow project of the customers main project (this was necessary because of flexibility of nodeselector... service on internet -> proxy needs to be deployed on a node that has access to the internet, service in core it of specific customer -> deploy proxy to node that has access over vpn to that customers core it) 

- in order for the customer to see if the proxies are running or to have a look at the logs of the proxies, we give view rights on the shadow projects (everyone or every group that has any right on the main project is taken over to the shadow project as viewer only) 

- the controller I implemented creates the shadow project when the first proxy is needed (the projects are peered, meaning set netid on shadow project equal to the netid of the main project, by the way: netnamespace in openshift provides this and netnamespace does not exist in fabric8 client, I did an own implementation) 

- so when the shadow namespace is created, rolebindings are taken over as view 

- changes in rolebindings

Watching roles and rolebindings will be supported once we collapse onto the kubernetes RBAC API types. That is currently planned for the 3.7-3.8 timeframe.

Thanks Jordan for the quick feedback on where this fits in the roadmap.

Do we know if this functionality is still on track for the 3.7 OCP release?

In 3.7 we migrated to use Kubernetes RBAC, which is backed by actual objects. So watching RBAC Role Bindings should just work.

Thanks for the quick update, will see if things just work with the 3.7 release!

Shipped in GA