[SREP-3298] Add read-only SREP ServiceAccount RBAC for AI agents

[xiaoyu74]

What type of PR is this?

(feature)

What this PR does / why we need it?

This commit introduces read-only backplane access for SREP team members and AI agents, enabling cluster diagnostics without write capabilities.

Which Jira/Github issue(s) this PR fixes?

https://issues.redhat.com/browse/SREP-3298

Special notes for your reviewer:

Components Added:

• Namespace: openshift-backplane-srep-ro
• ClusterRole: backplane-srep-ro-readers-cluster (cluster-scoped read perms)
• ClusterRole: backplane-srep-ro-readers-project (namespace-scoped read perms)
• SubjectPermission: backplane-srep-ro (RBAC binding via group)

Key Features:

• Strictly read-only: Only get/list/watch verbs
• No write operations: No create/update/patch/delete
• No privileged operations: No exec/portforward/eviction

Generated Files:

• SelectorSyncSets for integration/production/stage environments

P.S

• EPIC: https://issues.redhat.com/browse/SREP-3295
• Discussion Thread: https://redhat-internal.slack.com/archives/C09JVA9EDMZ/p1769046723247309

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xiaoyu74

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• deploy/backplane/OWNERS [xiaoyu74]
• hack/OWNERS [xiaoyu74]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@xiaoyu74: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[xiaoyu74]

/hold