Description of problem:

Calls to the expand-spec.subresources.kubevirt.io resource are not guarded by authorization, so anyone with access to the kube api may access the endpoint.

Access to Instancetypes and preferences referred to in calls to expand-spec is also not guarded by authorization.

Version-Release number of selected component (if applicable):

KubeVirt v0.58.0

How reproducible:

100%

Steps to Reproduce:
1. Make PUT request to /apis/subresources.kubevirt.io/v1/expand-spec endpoint with unprivileged cluster user. --> Access to endpoint is allowed.

2. Make PUT request to /apis/subresources.kubevirt.io/v1/expand-spec endpoint with unprivileged cluster user and refer to Instancetypes or preferences in namespaces the user has no access to. -> Spec is expanded although access to namespace was not granted.

Actual results:

Access to endpoint and referenced resources is not verified.

Expected results:

Access to endpoint and referenced resources is verified and only possible when according privileges were granted.

Additional info:

See PR https://github.com/kubevirt/kubevirt/pull/8570