Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-29987

ACM search - Fleet virt tree view won't display unless user has full namespace access

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Critical
    • None

      Description of problem:

      Fleet virtualization tree view relies on ACM search for showing Clusters -> VM namespaces -> VMs. However search will only populate the tree view data if the user has a ClusterRoleBind that includes all namespaces in VM cluster. This causes issues with the end to end fine grained rbac feature when used with the Fleet virtualization UI, because it forces users to ClusterRoleBind acm-vm-extended:view. This goes against the principle of least privilege, and will force customers to give extra permissions just to get the tree view to work.

      For example, we expected this to be the minimum privilege for viewing VMs in 1 VM namespace:

      acm-vm-fleet:view is always needed as ClusterRoleBinding on hub. We expected that one could do a RoleBinding to 1 VM namespace with kubevirt.io:view. However this does not allow the tree view to load:

      This behavior differs from 2.15. Search would populate namespaces based on kubevirtprojects response. It seems since we changed to the userpermissions api, search does not do this.

      With this current behavior, the least privilege required with the ACM VM roles we currently have is by adding acm-vm-extended:view ClusterRoleBinding on spoke VM cluster:

      So this role binding combination is working, however it is not ideal for customers who want to give VM admins the least privilege. If a customer only wants to give minimal access to a VM admin, they now have to give cluster-wide access to acm-vm-extended:view, which would allow access to all pods, nodes, persistentvolumes, pod logs, and a lot more. This seems to go against the main purpose of fine grained rbac, which is the ability to assign the least amount of privileges for a VM admin.

      Version-Release number of selected component (if applicable): 2.16.0-232

      How reproducible: always

      Steps to Reproduce:

      1. Assign fine grained rbac permissions shown in 1st rbac UI screen shot
      2. View fleet virtualization tree view

      Actual results:

      Tree view does not display.

      Expected results:

      Tree view should display with minimal kubevirt.io permissions, and not require read access to all cluster namespaces.

      Additional info:

        1. Screenshot 2026-02-10 at 3.49.58 PM.png
          42 kB
          Matthew Short
        2. Screenshot 2026-02-10 at 3.55.38 PM.png
          84 kB
          Matthew Short
        3. Screenshot 2026-02-10 at 4.02.21 PM.png
          53 kB
          Matthew Short
        4. Screenshot 2026-02-10 at 4.03.26 PM.png
          74 kB
          Matthew Short
        5. Screenshot 2026-02-10 at 4.14.15 PM.png
          46 kB
          Matthew Short
        6. Screenshot 2026-02-10 at 4.14.37 PM.png
          53 kB
          Matthew Short
        7. Screenshot 2026-02-13 at 8.04.34 AM.png
          46 kB
          Matthew Short
        8. Screenshot 2026-02-13 at 8.08.48 AM.png
          40 kB
          Matthew Short
        9. Screenshot 2026-02-13 at 8.09.26 AM.png
          49 kB
          Matthew Short

              jpadilla@redhat.com Jorge Padilla
              rh-ee-mshort Matthew Short
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: