2057142 – CDI aggregate roles missing some types

Bug 2057142 - CDI aggregate roles missing some types

Summary: CDI aggregate roles missing some types

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.10.1
Assignee:	Arnon Gilboa
QA Contact:	Kevin Alon Goldblatt
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-22 19:10 UTC by Michael Henriksen
Modified:	2022-05-18 20:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:	CNV v4.10.1-92
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-18 20:27:03 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt containerized-data-importer pull 2245	None	Merged	Expose all CDI CRDs to cluster-readers	2022-04-26 13:16:41 UTC
Github	kubevirt containerized-data-importer pull 2246	None	Merged	[release-v1.43] Expose all CDI CRDs to cluster-readers	2022-04-27 11:23:10 UTC
Red Hat Product Errata	RHSA-2022:4668	None	None	None	2022-05-18 20:27:23 UTC

Description Michael Henriksen 2022-02-22 19:10:33 UTC

Description of problem:

dataimportcrons and objecttransfers (maybe others?) are missing from the admin/edit/view aggregated cluster roles


Version-Release number of selected component (if applicable):


How reproducible:  100%


Steps to Reproduce:
1.  log in as cluster_reader or admin of a namespace
2.  oc get dataimportcrons
3.  see rbac error

Actual results:

Should have appropriate permissions


Expected results:


Additional info:

Comment 1 dalia 2022-03-07 12:12:35 UTC

also missing cluster-readers role for:

cdiconfigs.cdi.kubevirt.io
datasources.cdi.kubevirt.io
objecttransfers.cdi.kubevirt.io
storageprofiles.cdi.kubevirt.io

Comment 2 Kevin Alon Goldblatt 2022-05-03 12:02:23 UTC

Verified with the following code:
-----------------------------------------------
oc version
Client Version: 4.10.0-202204291519.p0.g09f825e.assembly.stream-09f825e
Server Version: 4.10.12
Kubernetes Version: v1.23.5+70fb84c
oc get csv -n openshift-cnv
NAME                                       DISPLAY                    VERSION   REPLACES                                   PHASE
kubevirt-hyperconverged-operator.v4.10.1   OpenShift Virtualization   4.10.1    kubevirt-hyperconverged-operator.v4.10.0   Succeeded


Verified with the following scenario:
-----------------------------------------------
 oc adm policy who-can get cdiconfigs.cdi.kubevirt.io |grep system:cluster-readers
        system:cluster-readers
[cnv-qe-jenkins@c01-jp4101-xxkzb-executor cnv-tests]$ oc adm policy who-can get objecttransfers.cdi.kubevirt.io |grep system:cluster-readers
        system:cluster-readers
[cnv-qe-jenkins@c01-jp4101-xxkzb-executor cnv-tests]$ oc adm policy who-can get storageprofiles.cdi.kubevirt.io |grep system:cluster-readers
        system:cluster-readers
[cnv-qe-jenkins@c01-jp4101-xxkzb-executor cnv-tests]$ oc adm policy who-can get dataimportcrons.cdi.kubevirt.io |grep system:cluster-readers
        system:cluster-readers
[cnv-qe-jenkins@c01-jp4101-xxkzb-executor cnv-tests]$ oc adm policy who-can get datasources.cdi.kubevirt.io |grep system:cluster-readers
        system:cluster-readers


Moving to VERIFIED!

Comment 8 errata-xmlrpc 2022-05-18 20:27:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.1 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:4668

Note You need to log in before you can comment on or make changes to this bug.