While I was doing a quick test of provisioning mobile services, I noticed that I am getting errors in the MDC console after I created a new app using a normal user (evals01).

The errors are like this:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "iosvariants.push.aerogear.org is forbidden: User \"evals01\" cannot list iosvariants.push.aerogear.org at the cluster scope: no RBAC policy matched",
  "reason": "Forbidden",
  "details": {
    "group": "push.aerogear.org",
    "kind": "iosvariants"
  },
  "code": 403
}

The same happens for the requests to list iosvariants custom resources as well.

After investigation I believe the problem is that we are missing the namespace value on the variants custom resources and that is causing the request to list resource at the cluster level, rather than just in the current namespace (the role & rolebinding only allows listing custom resources in the mdc namespace). See https://github.com/aerogear/mobile-developer-console/blob/master/src/services/crmanagers/PushVariantResourceManager.js#L67.

There is also an error related to keycloakrealm, but that is because the role is set on the wrong custom resource type, I will create another issue for this.