Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-32968

No ClusterRole provided to view VirtualMachineCluster{Instancetype,Preference}s

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • CNV v4.14.0
    • CNV v4.14.0
    • CNV Infrastructure
    • None
    • CNV Infra 243, CNV Infra Next
    • High
    • No

      Description of problem:

      The current kubevirt:view and view ClusterRole provides a user read only access to VirtualMachineCluster{Instancetype,Preference}s only if it is bound to the user using a ClusterRoleBinding, using a RoleBinding limits the user to resources within the namespace of the RoleBinding:

$ oc whoami
kube:admin

$ oc get user/test -o json 
{
    "apiVersion": "user.openshift.io/v1",
    "groups": null,
    "identities": [
        "test:test"
    ],
    "kind": "User",
    "metadata": {
        "creationTimestamp": "2023-09-13T06:32:27Z",
        "name": "test",
        "resourceVersion": "2296746",
        "uid": "82589434-61c0-43f9-b583-4cdf1c07a449"
    }
}
$ oc get rolebinding/view -o json 
{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "RoleBinding",
    "metadata": {
        "creationTimestamp": "2023-09-12T00:26:26Z",
        "name": "view",
        "namespace": "default",
        "resourceVersion": "299686",
        "uid": "41047a8a-9d95-42bc-9f59-667ae114ea5c"
    },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "view"
    },
    "subjects": [
        {
            "apiGroup": "rbac.authorization.k8s.io",
            "kind": "User",
            "name": "test"
        }
    ]
}

$ oc get clusterrole/view -o json | jq -r '.rules[] | select(.apiGroups==["instancetype.kubevirt.io"])'
{
  "apiGroups": [
    "instancetype.kubevirt.io"
  ],
  "resources": [
    "virtualmachineinstancetypes",
    "virtualmachineclusterinstancetypes",
    "virtualmachinepreferences",
    "virtualmachineclusterpreferences"
  ],
  "verbs": [
    "get",
    "list",
    "watch"
  ]
}

$ oc whoami
test 

$ oc get virtualmachineclusterinstancetypes
Error from server (Forbidden): virtualmachineclusterinstancetypes.instancetype.kubevirt.io is forbidden: User "test" cannot list resource "virtualmachineclusterinstancetypes" in API group "instancetype.kubevirt.io" at the cluster scope


We should provide a seperate ClusterRole that provides the same read only access to VirtualMachineCluster{Instancetype,Preference}s resources at the cluster scope level that admins can then bind to users using a ClusterRoleBinding.

      Version-Release number of selected component (if applicable):

      v4.14

      How reproducible:

      Always

      Steps to Reproduce:

      1. Bind the view ClusterRole to a user using a RoleBinding

      Actual results:

      User unable to list VirtualMachineCluster{Instancetype,Preference}s

      Expected results:

      User able to list VirtualMachineCluster{Instancetype,Preference}s using a limited ClusterRole and ClusterRoleBinding

      Additional info:

       

              rhn-support-lyarwood Lee Yarwood
              rhn-support-lyarwood Lee Yarwood
              Geetika Kapoor Geetika Kapoor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: