[2164814] [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group

+++ This bug was initially created as a clone of Bug #2139144 +++

Description of problem: virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group

Version-Release number of selected component (if applicable):
4.12.0-628

How reproducible:
100%

Steps to Reproduce:
1. Run "oc adm policy who-can get <crd_name>"
2.
3.

Actual results:
===================
[cloud-user@ocp-psi-executor ~]$ oc adm policy who-can get virtualmachineclones.clone.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown>

Namespace: default
Verb: get
Resource: virtualmachineclones.clone.kubevirt.io

Users: system:admin
system:serviceaccount:kube-system:generic-garbage-collector
system:serviceaccount:kube-system:namespace-controller
system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
system:serviceaccount:openshift-authentication-operator:authentication-operator
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
system:serviceaccount:openshift-cluster-version:default
system:serviceaccount:openshift-cnv:cluster-network-addons-operator
system:serviceaccount:openshift-cnv:kubevirt-controller
system:serviceaccount:openshift-cnv:kubevirt-operator
system:serviceaccount:openshift-config-operator:openshift-config-operator
system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
system:serviceaccount:openshift-etcd-operator:etcd-operator
system:serviceaccount:openshift-etcd:installer-sa
system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
system:serviceaccount:openshift-kube-apiserver:installer-sa
system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
system:serviceaccount:openshift-kube-controller-manager:installer-sa
system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
system:serviceaccount:openshift-kube-scheduler:installer-sa
system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
system:serviceaccount:openshift-machine-config-operator:default
system:serviceaccount:openshift-network-operator:default
system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
system:serviceaccount:openshift-service-ca-operator:service-ca-operator
system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
system:masters

[cloud-user@ocp-psi-executor ~]$
cloud-user@ocp-psi-executor ~]$ oc adm policy who-can get virtualmachineexports.export.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown>

Namespace: default
Verb: get
Resource: virtualmachineexports.export.kubevirt.io

Users: system:admin
system:serviceaccount:kube-system:generic-garbage-collector
system:serviceaccount:kube-system:namespace-controller
system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
system:serviceaccount:openshift-authentication-operator:authentication-operator
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
system:serviceaccount:openshift-cluster-version:default
system:serviceaccount:openshift-cnv:cluster-network-addons-operator
system:serviceaccount:openshift-cnv:kubevirt-controller
system:serviceaccount:openshift-cnv:kubevirt-exportproxy
system:serviceaccount:openshift-cnv:kubevirt-operator
system:serviceaccount:openshift-config-operator:openshift-config-operator
system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
system:serviceaccount:openshift-etcd-operator:etcd-operator
system:serviceaccount:openshift-etcd:installer-sa
system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
system:serviceaccount:openshift-kube-apiserver:installer-sa
system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
system:serviceaccount:openshift-kube-controller-manager:installer-sa
system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
system:serviceaccount:openshift-kube-scheduler:installer-sa
system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
system:serviceaccount:openshift-machine-config-operator:default
system:serviceaccount:openshift-network-operator:default
system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
system:serviceaccount:openshift-service-ca-operator:service-ca-operator
system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
system:masters

[cloud-user@ocp-psi-executor ~]$

Expected results:
Both the command output should list system:cluster-readers group

Additional info:

— Additional comment from Alexander Wels on 2022-11-02 15:49:45 UTC —

Any reason we want these available to cluster-reader? I am trying to understand why we would want this.

— Additional comment from Adam Litke on 2022-11-23 18:35:21 UTC —

Debarati could you please explain why this is a problem?

— Additional comment from Red Hat Bugzilla on 2022-12-15 08:29:03 UTC —

Account disabled by LDAP Audit for extended failure

— Additional comment from Debarati Basu-Nag on 2023-01-26 14:58:06 UTC —

@alitke@redhat.com we currently have test that validates that all the cnv crds has cluster role reader. These two are the only ones that don't have reader cluster role. (associated with requirement: https://polarion.engineering.redhat.com/polarion/#/project/CNV/workitem?id=CNV-6358.