Bug 2223775

Summary: global permission found for ssp operator in cnv csv.spec.install.spec.clusterPermissions
Product: Container Native Virtualization (CNV) Reporter: Debarati Basu-Nag <dbasunag>
Component: InfrastructureAssignee: Javier Cano Cano <jcanocan>
Status: CLOSED MIGRATED QA Contact: Geetika Kapoor <gkapoor>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.14.0CC: dholler, jcanocan, ycui
Target Milestone: ---   
Target Release: 4.14.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-14 16:15:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238027    
Bug Blocks:    
Attachments:
Description Flags
ssp operator rules none

Description Debarati Basu-Nag 2023-07-18 20:18:09 UTC 
Created attachment 1976389 [details]
ssp operator rules

Description of problem: With CNV-v4.14.0.rhel9-1274, for ssp operator we are seeing global permission set for multiple rules. Since https://issues.redhat.com/browse/CNV-24031 is now closed, opening this bug to track the current failures.


Version-Release number of selected component (if applicable):
CNV-v4.14.0.rhel9-1274

How reproducible:
100%

Steps to Reproduce:
1. Check csv.spec.install.spec.clusterPermissions for ssp-operator
2.
3.

Actual results:
================
- apiGroups:
  - '*'
  resources:
  - persistentvolumeclaims
  verbs:
  - '*'
- apiGroups:
  - '*'
  resources:
  - secrets
  verbs:
  - '*'
- apiGroups:
  - cdi.kubevirt.io
  resources:
  - datavolumes
  verbs:
  - '*'
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - kubevirt.io
  resources:
  - virtualmachines/finalizers
  verbs:
  - '*'
===============

Expected results:
No global permission for ssp operator should be present.

Additional info:
Comment 2 Debarati Basu-Nag 2023-08-31 02:14:09 UTC 
@jcanocan 
1) yes, we should not have any "*" permissions, should have specific permissions instead
2) since https://issues.redhat.com/browse/CNV-24031 is targeted for 4.14 and this bug is against the work done for this, I would say the this should be addressed to fully close any RBAC work done for SSP operator.
3) test was developed for RBAC work done against various operators in 4.14, and failure indicates the work for these epics are not complete in 4.14, as originally intended.

Please let me know if you need anything else from my side.
Comment 3 Javier Cano Cano 2023-09-07 14:43:47 UTC 
We are addressing this bug. These two PRs should fix this issue: https://github.com/kubevirt/kubevirt-tekton-tasks/pull/259 https://github.com/kubevirt/ssp-operator/pull/684
I will let you know when they are merged.
Thanks!