Avoid add and remove namespace for Cluster resources

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/AddNamespaceDecorator.java

@@ -43,4 +43,9 @@ public boolean equals(Object o) {
     public int hashCode() {
         return Objects.hash(namespace);
     }
+
+    @Override
+    public Class<? extends Decorator>[] before() {
+        return new Class[] { AddClusterRoleBindingResourceDecorator.class, AddClusterRoleResourceDecorator.class };
+    }
 }

extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java

@@ -252,6 +252,11 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec
         result.addAll(createLabelDecorators(target, name, config, labels));
         result.addAll(createAnnotationDecorators(project, target, name, config, metricsConfiguration, annotations, port));
         result.addAll(createPodDecorators(target, name, config));
+
+        // Handle RBAC
+        result.addAll(createRbacDecorators(name, target, config, kubernetesClientConfiguration, roles, clusterRoles,
+                serviceAccounts, roleBindings));
+
         result.addAll(createContainerDecorators(target, name, namespace, config));
         result.addAll(createMountAndVolumeDecorators(target, name, config));
         result.addAll(createAppConfigVolumeAndEnvDecorators(target, name, config));
@@ -276,10 +281,6 @@ public static List<DecoratorBuildItem> createDecorators(Optional<Project> projec
             result.addAll(createProbeDecorators(name, target, config.getLivenessProbe(), config.getReadinessProbe(),
                     config.getStartupProbe(), livenessProbePath, readinessProbePath, startupPath));
         }
-
-        // Handle RBAC
-        result.addAll(createRbacDecorators(name, target, config, kubernetesClientConfiguration, roles, clusterRoles,
-                serviceAccounts, roleBindings));
         return result;
     }
 
@@ -292,10 +293,6 @@ private static Collection<DecoratorBuildItem> createRbacDecorators(String name,
             List<KubernetesRoleBindingBuildItem> roleBindingsFromExtensions) {
         List<DecoratorBuildItem> result = new ArrayList<>();
 
-        // Cluster resources does not have namespace
-        result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleBindingDecorator()));
-        result.add(new DecoratorBuildItem(target, new RemoveNamespaceFromClusterRoleDecorator()));
-
         boolean kubernetesClientRequiresRbacGeneration = kubernetesClientConfiguration
                 .map(KubernetesClientCapabilityBuildItem::isGenerateRbac).orElse(false);
         Set<String> roles = new HashSet<>();

integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java

@@ -84,7 +84,7 @@ public void assertGeneratedResources() throws IOException {
 
         // secret-reader assertions
         ClusterRole secretReaderRole = getClusterRoleByName(kubernetesList, "secret-reader");
-        assertThat(secretReaderRole.getMetadata().getNamespace()).isEqualTo(null);
+        assertThat(secretReaderRole.getMetadata().getNamespace()).isNull();
         assertThat(secretReaderRole.getRules()).satisfiesOnlyOnce(r -> {
             assertThat(r.getApiGroups()).containsExactly("");
             assertThat(r.getResources()).containsExactly("secrets");
@@ -112,7 +112,7 @@ public void assertGeneratedResources() throws IOException {
         assertEquals("Group", clusterSubject.getKind());
         assertEquals("manager", clusterSubject.getName());
         assertEquals("rbac.authorization.k8s.io", clusterSubject.getApiGroup());
-        assertThat(clusterRoleBinding.getMetadata().getNamespace()).isEqualTo(null);
+        assertThat(clusterRoleBinding.getMetadata().getNamespace()).isNull();
     }
 
     private int lastIndexOfKind(String content, String... kinds) {