-
Bug
-
Resolution: Done
-
Undefined
-
CNV v4.14.0
-
None
-
False
-
-
False
-
---
-
---
-
-
CNV Infra 243, CNV Infra Next
-
Important
-
No
Description of problem:
The current kubevirt:view and view ClusterRole provides a user read only access to VirtualMachineCluster{Instancetype,Preference}s only if it is bound to the user using a ClusterRoleBinding, using a RoleBinding limits the user to resources within the namespace of the RoleBinding: $ oc whoami kube:admin $ oc get user/test -o json { "apiVersion": "user.openshift.io/v1", "groups": null, "identities": [ "test:test" ], "kind": "User", "metadata": { "creationTimestamp": "2023-09-13T06:32:27Z", "name": "test", "resourceVersion": "2296746", "uid": "82589434-61c0-43f9-b583-4cdf1c07a449" } } $ oc get rolebinding/view -o json { "apiVersion": "rbac.authorization.k8s.io/v1", "kind": "RoleBinding", "metadata": { "creationTimestamp": "2023-09-12T00:26:26Z", "name": "view", "namespace": "default", "resourceVersion": "299686", "uid": "41047a8a-9d95-42bc-9f59-667ae114ea5c" }, "roleRef": { "apiGroup": "rbac.authorization.k8s.io", "kind": "ClusterRole", "name": "view" }, "subjects": [ { "apiGroup": "rbac.authorization.k8s.io", "kind": "User", "name": "test" } ] } $ oc get clusterrole/view -o json | jq -r '.rules[] | select(.apiGroups==["instancetype.kubevirt.io"])' { "apiGroups": [ "instancetype.kubevirt.io" ], "resources": [ "virtualmachineinstancetypes", "virtualmachineclusterinstancetypes", "virtualmachinepreferences", "virtualmachineclusterpreferences" ], "verbs": [ "get", "list", "watch" ] } $ oc whoami test $ oc get virtualmachineclusterinstancetypes Error from server (Forbidden): virtualmachineclusterinstancetypes.instancetype.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachineclusterinstancetypes" in API group "instancetype.kubevirt.io" at the cluster scope We should provide a seperate ClusterRole that provides the same read only access to VirtualMachineCluster{Instancetype,Preference}s resources at the cluster scope level that admins can then bind to users using a ClusterRoleBinding.
Version-Release number of selected component (if applicable):
v4.14
How reproducible:
Always
Steps to Reproduce:
1. Bind the view ClusterRole to a user using a RoleBinding
Actual results:
User unable to list VirtualMachineCluster{Instancetype,Preference}s
Expected results:
User able to list VirtualMachineCluster{Instancetype,Preference}s using a limited ClusterRole and ClusterRoleBinding
Additional info:
- is related to
-
CNV-32927 Unprivileged user cannot see list of instancetypes
- Closed