Test on CNV-v4.13.0.rhel9-1832, issue has been fixed. $ oc adm policy who-can get virtualmachineclones.clone.kubevirt.io resourceaccessreviewresponse.authorization.openshift.io/<unknown> Namespace: default Verb: get Resource: virtualmachineclones.clone.kubevirt.io Users: system:admin system:serviceaccount:default:pipeline system:serviceaccount:kube-system:generic-garbage-collector system:serviceaccount:kube-system:namespace-controller system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator system:serviceaccount:openshift-apiserver:openshift-apiserver-sa system:serviceaccount:openshift-authentication-operator:authentication-operator system:serviceaccount:openshift-authentication:oauth-openshift system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator system:serviceaccount:openshift-cluster-version:default system:serviceaccount:openshift-cnv:cluster-network-addons-operator system:serviceaccount:openshift-cnv:kubevirt-controller system:serviceaccount:openshift-cnv:kubevirt-operator system:serviceaccount:openshift-config-operator:openshift-config-operator system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa system:serviceaccount:openshift-etcd-operator:etcd-operator system:serviceaccount:openshift-etcd:installer-sa system:serviceaccount:openshift-infra:template-instance-controller system:serviceaccount:openshift-infra:template-instance-finalizer-controller system:serviceaccount:openshift-insights:gather system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator system:serviceaccount:openshift-kube-apiserver:installer-sa system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator system:serviceaccount:openshift-kube-controller-manager:installer-sa system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator system:serviceaccount:openshift-kube-scheduler:installer-sa system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa system:serviceaccount:openshift-machine-config-operator:default system:serviceaccount:openshift-network-operator:default system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount system:serviceaccount:openshift-service-ca-operator:service-ca-operator system:serviceaccount:recycle-pvs:recycle-pvs-sa Groups: system:cluster-admins system:cluster-readers system:masters $ oc adm policy who-can get virtualmachineexports.export.kubevirt.io resourceaccessreviewresponse.authorization.openshift.io/<unknown> Namespace: default Verb: get Resource: virtualmachineexports.export.kubevirt.io Users: system:admin system:serviceaccount:default:pipeline system:serviceaccount:kube-system:generic-garbage-collector system:serviceaccount:kube-system:namespace-controller system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator system:serviceaccount:openshift-apiserver:openshift-apiserver-sa system:serviceaccount:openshift-authentication-operator:authentication-operator system:serviceaccount:openshift-authentication:oauth-openshift system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator system:serviceaccount:openshift-cluster-version:default system:serviceaccount:openshift-cnv:cluster-network-addons-operator system:serviceaccount:openshift-cnv:kubevirt-controller system:serviceaccount:openshift-cnv:kubevirt-exportproxy system:serviceaccount:openshift-cnv:kubevirt-operator system:serviceaccount:openshift-config-operator:openshift-config-operator system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa system:serviceaccount:openshift-etcd-operator:etcd-operator system:serviceaccount:openshift-etcd:installer-sa system:serviceaccount:openshift-infra:template-instance-controller system:serviceaccount:openshift-infra:template-instance-finalizer-controller system:serviceaccount:openshift-insights:gather system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator system:serviceaccount:openshift-kube-apiserver:installer-sa system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator system:serviceaccount:openshift-kube-controller-manager:installer-sa system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator system:serviceaccount:openshift-kube-scheduler:installer-sa system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa system:serviceaccount:openshift-machine-config-operator:default system:serviceaccount:openshift-network-operator:default system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount system:serviceaccount:openshift-service-ca-operator:service-ca-operator system:serviceaccount:recycle-pvs:recycle-pvs-sa Groups: system:cluster-admins system:cluster-readers system:masters
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:3205