From ed801a98d65176ef582f302bcd11091ff36a92ba Mon Sep 17 00:00:00 2001
From: Dixit Sathwara <Dixit.Sathwara1@ibm.com>
Date: Thu, 21 May 2026 13:02:20 +0530
Subject: [PATCH 1/2] [patch] remove the preinstall rbac for minimal

---
 src/mas/devops/pre_install.py | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/mas/devops/pre_install.py b/src/mas/devops/pre_install.py
index e0ce6b1f..62f6bc47 100644
--- a/src/mas/devops/pre_install.py
+++ b/src/mas/devops/pre_install.py
@@ -75,11 +75,6 @@ def _should_apply_preinstall_mas_rbac_file(fileName: str, permissionMode: str) -
     if not (lowerName.endswith(".yml") or lowerName.endswith(".yaml")):
         return False
 
-    # TODO: Sort out this openshift-ingress exception properly.
-    # For now, always apply this manifest in any permission mode.
-    if lowerName == "role-essential-core-entitymgr-suite-openshift-ingress.yaml":
-        return True
-
     if permissionMode == "cluster":
         return lowerName.startswith("cluster-role-")
 
@@ -137,9 +132,6 @@ def _discover_preinstall_mas_rbac_files(
     if not rbacRootDir:
         rbacRootDir = DEFAULT_PREINSTALL_MAS_RBAC_ROOT
 
-    # Due to ingresscontroller role we need to apply the preinstall RBAC for the minimal permission mode
-    # if permissionMode == "minimal":
-    #     return []
 
     selectedOperatorDirs = _get_selected_operator_dirs(selectedApps)
 
@@ -280,12 +272,22 @@ def applyPreInstallMASRBAC(
     if not rbacRootDir:
         rbacRootDir = DEFAULT_PREINSTALL_MAS_RBAC_ROOT
 
-    validatedApps = _validate_selected_apps(selectedApps)
-
-    if not validatedApps:
-        logger.info("No selected apps provided for pre-install MAS RBAC apply")
+    # Minimal mode - essential roles will be applied by each operator
+    if permissionMode == "minimal":
+        logger.info("Minimal permission mode - essential roles will be applied by each operator")
         return
 
+    # For cluster mode, use ibm-mas operator only (apps not required)
+    if permissionMode == "cluster":
+        validatedApps = {"core"}  # Use core which maps to ibm-mas operator
+        logger.info("Cluster permission mode - using ibm-mas operator only")
+    else:
+        # For namespaced mode, validate and use selected apps
+        validatedApps = _validate_selected_apps(selectedApps)
+        if not validatedApps:
+            logger.info("No selected apps provided for namespaced mode pre-install MAS RBAC apply")
+            return
+
     manifestFiles = _discover_preinstall_mas_rbac_files(
         rbacRootDir=rbacRootDir,
         masVersion=masVersion,

From e00b60fbd39328ed66c261632fc61450746637c2 Mon Sep 17 00:00:00 2001
From: Dixit Sathwara <Dixit.Sathwara1@ibm.com>
Date: Thu, 21 May 2026 22:36:11 +0530
Subject: [PATCH 2/2] [patch] fix the black

---
 src/mas/devops/pre_install.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/mas/devops/pre_install.py b/src/mas/devops/pre_install.py
index 62f6bc47..dd033a28 100644
--- a/src/mas/devops/pre_install.py
+++ b/src/mas/devops/pre_install.py
@@ -132,7 +132,6 @@ def _discover_preinstall_mas_rbac_files(
     if not rbacRootDir:
         rbacRootDir = DEFAULT_PREINSTALL_MAS_RBAC_ROOT
 
-
     selectedOperatorDirs = _get_selected_operator_dirs(selectedApps)
 
     sourceRoots = [