Description of problem: CNV networking CRDs don't include cluster-reader role in their lists of authorized roles. Version-Release number of selected component (if applicable): CNV 4.10.0 How reproducible: 100% Steps to Reproduce: 1. Login to an Openshift cluster with CNV installed. 2. Check the list of roles that are allowed to access any networking component, for example NodeNetworkConfigurationPolicy $ oc adm policy who-can get nncp Actual results: None of the usrs or groups lists in the output include cluster-reader role. [cnv-qe-jenkins@n-yoss-410-6scsl-executor ~]$ oc adm policy who-can get nncp resourceaccessreviewresponse.authorization.openshift.io/<unknown> Namespace: default Verb: get Resource: nodenetworkconfigurationpolicies.nmstate.io Users: system:admin system:serviceaccount:kube-system:generic-garbage-collector system:serviceaccount:kube-system:namespace-controller system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator system:serviceaccount:openshift-apiserver:openshift-apiserver-sa system:serviceaccount:openshift-authentication-operator:authentication-operator system:serviceaccount:openshift-authentication:oauth-openshift system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator system:serviceaccount:openshift-cluster-version:default system:serviceaccount:openshift-cnv:cluster-network-addons-operator system:serviceaccount:openshift-cnv:nmstate-handler system:serviceaccount:openshift-config-operator:openshift-config-operator system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa system:serviceaccount:openshift-etcd-operator:etcd-operator system:serviceaccount:openshift-etcd:installer-sa system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator system:serviceaccount:openshift-kube-apiserver:installer-sa system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator system:serviceaccount:openshift-kube-controller-manager:installer-sa system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator system:serviceaccount:openshift-kube-scheduler:installer-sa system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa system:serviceaccount:openshift-machine-config-operator:default system:serviceaccount:openshift-network-operator:default system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount system:serviceaccount:openshift-service-ca-operator:service-ca-operator system:serviceaccount:recycle-pvs:recycle-pvs-sa Groups: system:cluster-admins system:masters Expected results: Lists should include cluster-reader
This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=2022745. While the reference BZ will cover resources of nmstate, this BZ will track the rest (e.g. NetworkAddonsConfig).
$ oc adm policy who-can get NetworkAddonsConfig | grep reader system:cluster-readers $ oc adm policy who-can get nmstates | grep reader system:cluster-readers The CRs of CNAO and k8s-nmstate are already accessible by cluster-readers Group out of the box NNS, NCCP, NNCE were handled at https://bugzilla.redhat.com/show_bug.cgi?id=2022745
Awesome, thanks for looking into this. I'm marking the BZ as CLOSED then. *** This bug has been marked as a duplicate of bug 2022745 ***