Description of problem:

ACM search uses aggregate API to display virtual machines that a user has access to:

https://github.com/stolostron/multicloud-operators-foundation/blob/main/docs/clusterview/clusterview.md

Aggregate API looks at ClusterPermissions to determine the kubevirtprojects permissions a user has. However in ACM 2.15, ClusterPermission added a new spec field:

spec.clusterRoleBindings

In 2.14, it only had spec.clusterRoleBinding (single) where now it supports an array of clusterRoleBindings:

https://github.com/stolostron/cluster-permission/blob/main/config/crds/rbac.open-cluster-management.io_clusterpermissions.yaml

This breaks the fine grained rbac feature for 2.15 because the aggregate API does not report any kubevirtprojects permissions when this new spec field is used. This is a critical bug that will block this fine grained rbac release completely in 2.15.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Create ClusterPermission containing kubevirt.io roles using the ClusterPermission spec.clusterRoleBindings
2. Aggregate API does not check this field and therefor does not aggregate any user VM permissions

Actual results:

Aggregate API does not aggregate permissions.

Expected results:

Aggregate API should aggregate permissions even if they are in spec.clusterRoleBindings

Additional info: