Goal

Today KubeVirt (and many other operators) have 3 default roles: admin/edit/view.

These "operator" specific roles are then aggregated into the namespaced admin/edit/view roles in order to give every user the role specific kubevirt permissions (every admin should be a kubevirt admin as well, every editor should be a kubevirt editor as well, …). CNV-63822 is about disabling this auto aggregation.

This epic here is about splitting the default KubeVirt roles admin/edit/view into more fine grained set of permissions and to then aggregate them into roles.

For example (just an example!):
Today:

• role admin = edit/create live migration + vm create + vm start stop + snapshot APIs

Future:

• role live-migration-admin = edit/create live migration API
• role vm-creator = edit/create vm API
• role vm-life-cycle = edit/create vm start/stop subresource API
• role snapshot-admin = edit/create snapshot API
• role admin = aggregate live-migration-admin + vm-creator + vm-life-cycle-admin + snapshot-admin # we do this for backwards compatibility

Thus with this change, administrators are able to create more tailored roles. for example, a cluster admin could allow a user of an SRE group to only start/stop/restart a VM, but not create or modify them otherwise.

Scope of this epic is to
1. Identify what smaller roles can be created
2. Think REALLY well about the new role names
3. Create new roles
4. Change the existing admin/view/edit/default roles to be composed from the newly created roles in the prev step

User Stories

• High-Level goal-based user story, with context.
  "As a <VM owner/cluster administrator>, I want <to Achieve Some Goal>, so that <Some Reason/Context>."
• another user story

Non-Requirements

• List of things not included in this epic, to alleviate any doubt raised during the grooming process.

Notes

• Any additional details or decisions made/needed