Extend project-robbie RBAC across all project-robbie projects

Configure consistent RBAC in all project-robbie namespaces:

- project-robbie-6f75ac
- project-robbie-8dd79e
- project-robbie-b4784c

These changes included custom configuration for the Kustomize namespace
transformer so that it will update the namespace for all subjects listed in
the RoleBindings. See [1] for an example configuration, and [2] for what
passes for documentation.

[1]: kubernetes-sigs/kustomize#629 (comment)
[2]: kubernetes-sigs/kustomize#4704

cluster-scope/overlays/nerc-ocp-prod/rolebindings/kustomization.yaml

@@ -1,4 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- project-robbie-6f75ac
+- project-robbie-8dd79e
 - project-robbie-b4784c

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- project-robbie-allow-sys-admin.yaml
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: notImportantHere
+    namespace: project-robbie-6f75ac
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/project-robbie-allow-sys-admin.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: project-robbie-allow-sys-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nerc-allow-sys-admin
+subjects:
+- kind: ServiceAccount
+  name: robbie-job-runner

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- project-robbie-allow-sys-admin.yaml
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: notImportantHere
+    namespace: project-robbie-8dd79e
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/project-robbie-allow-sys-admin.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: project-robbie-allow-sys-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nerc-allow-sys-admin
+subjects:
+- kind: ServiceAccount
+  name: robbie-job-runner

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/kustomization.yaml

@@ -1,5 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: project-robbie-b4784c
 resources:
 - project-robbie-allow-sys-admin.yaml
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: notImportantHere
+    namespace: project-robbie-b4784c
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true

cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/project-robbie-allow-sys-admin.yaml

@@ -8,5 +8,4 @@ roleRef:
   name: nerc-allow-sys-admin
 subjects:
 - kind: ServiceAccount
-  namespace: project-robbie-b4784c
   name: robbie-job-runner