Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-32968

No ClusterRole provided to view VirtualMachineCluster{Instancetype,Preference}s

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • CNV v4.14.0
    • CNV v4.14.0
    • CNV Infrastructure
    • None
    • CNV Infra 243, CNV Infra Next
    • Important
    • No

      Description of problem:

      The current kubevirt:view and view ClusterRole provides a user read only access to VirtualMachineCluster{Instancetype,Preference}s only if it is bound to the user using a ClusterRoleBinding, using a RoleBinding limits the user to resources within the namespace of the RoleBinding:
      
      $ oc whoami
      kube:admin
      
      $ oc get user/test -o json 
      {
          "apiVersion": "user.openshift.io/v1",
          "groups": null,
          "identities": [
              "test:test"
          ],
          "kind": "User",
          "metadata": {
              "creationTimestamp": "2023-09-13T06:32:27Z",
              "name": "test",
              "resourceVersion": "2296746",
              "uid": "82589434-61c0-43f9-b583-4cdf1c07a449"
          }
      }
      $ oc get rolebinding/view -o json 
      {
          "apiVersion": "rbac.authorization.k8s.io/v1",
          "kind": "RoleBinding",
          "metadata": {
              "creationTimestamp": "2023-09-12T00:26:26Z",
              "name": "view",
              "namespace": "default",
              "resourceVersion": "299686",
              "uid": "41047a8a-9d95-42bc-9f59-667ae114ea5c"
          },
          "roleRef": {
              "apiGroup": "rbac.authorization.k8s.io",
              "kind": "ClusterRole",
              "name": "view"
          },
          "subjects": [
              {
                  "apiGroup": "rbac.authorization.k8s.io",
                  "kind": "User",
                  "name": "test"
              }
          ]
      }
      
      $ oc get clusterrole/view -o json | jq -r '.rules[] | select(.apiGroups==["instancetype.kubevirt.io"])'
      {
        "apiGroups": [
          "instancetype.kubevirt.io"
        ],
        "resources": [
          "virtualmachineinstancetypes",
          "virtualmachineclusterinstancetypes",
          "virtualmachinepreferences",
          "virtualmachineclusterpreferences"
        ],
        "verbs": [
          "get",
          "list",
          "watch"
        ]
      }
      
      $ oc whoami
      test 
      
      $ oc get virtualmachineclusterinstancetypes
      Error from server (Forbidden): virtualmachineclusterinstancetypes.instancetype.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachineclusterinstancetypes" in API group "instancetype.kubevirt.io" at the cluster scope
      
      
      We should provide a seperate ClusterRole that provides the same read only access to VirtualMachineCluster{Instancetype,Preference}s resources at the cluster scope level that admins can then bind to users using a ClusterRoleBinding.

      Version-Release number of selected component (if applicable):

      v4.14

      How reproducible:

      Always

      Steps to Reproduce:

      1. Bind the view ClusterRole to a user using a RoleBinding
      
      

      Actual results:

      User unable to list VirtualMachineCluster{Instancetype,Preference}s

      Expected results:

      User able to list VirtualMachineCluster{Instancetype,Preference}s using a limited ClusterRole and ClusterRoleBinding

      Additional info:

       

              rhn-support-lyarwood Lee Yarwood
              rhn-support-lyarwood Lee Yarwood
              Geetika Kapoor Geetika Kapoor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: