Bug 1710261
| Summary: | CDI: missing permissions for HCO deployment | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Natalie Gavrielov <ngavrilo> |
| Component: | Storage | Assignee: | Simone Tiraboschi <stirabos> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Natalie Gavrielov <ngavrilo> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.0 | CC: | alitke, astopel, cnv-qe-bugs, dzager, ncredi, pep, stirabos, ycui |
| Target Milestone: | --- | Keywords: | TestBlocker |
| Target Release: | 2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | hco-bundle-registry:v2.0.0-15 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-22 12:33:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Natalie Gavrielov
2019-05-15 08:17:50 UTC
Assigning to Simone. The bug is to be closed once a new hco build is issued with the bellow rbac for cdi-operator:
```
- serviceAccountName: cdi-operator
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- get
- list
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- '*'
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- watch
- create
- delete
- get
- update
- patch
- list
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- update
- patch
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- update
- patch
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonstes
verbs:
- create
- get
- list
- delete
- watch
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- create
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- ""
resources:
- pods
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- persistentvolumeclaims/finalizers
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- update
```
The long term method for fixing this issue is for: 1) This PR to be merged https://github.com/kubevirt/containerized-data-importer/pull/798 2) Changes to be vendored into HCO project 3) Update HCO manifest generation to use vendored CDI I don't want for us to manually update HCO and then have to manually update later when CDI is updated. Simone, can we move this to ON_QA yet? Yes, ON_QA since hco-bundle-registry:v2.0.0-15 Verified, build: 2.0.0-15 |