Description of problem:

Terminology:

• hub cluster - the main cluster in which ACM is installed and controls the managed clusters registered to it
• managed cluster - an OCP cluster external to the hub cluster which is registered in ACM on the hub cluster

If a cluster-admin of a managed cluster is logged into the ACM UI --> Fleet Virtualization in the hub cluster, then wants to view virtual machines in an arbitrary namespace of the managed cluster there, an error is shown, e.g.

virtualmachines.kubevirt.io is forbidden: User "ocohen@redhat.com" cannot list resource "virtualmachines" in API group "kubevirt.io" in the namespace "alona"

however, the same user (cluster-admin) can view the VMs at the very same namespace if s/he logs in directly into the managed cluster.

In addition, if there is a RoleBinding to "admin" Role at the same namespace for the cluster-admin, then s/he can view the VMs in the ACM UI.

So it is probably a backend RBAC issue.

Version-Release number of selected component (if applicable):

ACM 2.15.0

How reproducible:

100%

Steps to Reproduce:

1. Described at the description above
2.  
3. ...

Actual results:

cluster-admins / cluster-readers gets:

Restricted access

You don't have access to this section due to cluster policy

 error when trying to view VMs in an arbitrary namespace of a managed cluster they should have permissions to.

Expected results:

They should be seeing the VMs in ACM UI.

Additional info:

The backend should probably be using the "SelfSubjectAccessReviews" API (which is being used in the "oc auth can-i" command"), rather than checking if the user has a RoleBinding in the namespace in question.