Bug 2164814 - [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group
Summary: [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.12.0
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ---
: 4.13.0
Assignee: Alexander Wels
QA Contact: Yan Du
URL:
Whiteboard:
Depends On: 2139144
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-26 15:01 UTC by Debarati Basu-Nag
Modified: 2023-05-18 02:57 UTC (History)
5 users (show)

Fixed In Version: CNV v4.13.0.rhel9-1778
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2139144
Environment:
Last Closed: 2023-05-18 02:57:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt kubevirt pull 9188 0 None Merged RBAC for export and clone virtual machine 2023-03-20 15:02:43 UTC
Github kubevirt kubevirt pull 9413 0 None Merged [release-0.59] RBAC for export and clone virtual machine 2023-03-22 12:32:34 UTC
Red Hat Issue Tracker CNV-24785 0 None None None 2023-01-26 15:05:05 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:57:49 UTC

Comment 1 Yan Du 2023-03-22 12:56:02 UTC 
Test on CNV-v4.13.0.rhel9-1832, issue has been fixed.


$ oc adm policy who-can get virtualmachineclones.clone.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: default
Verb:      get
Resource:  virtualmachineclones.clone.kubevirt.io

Users:  system:admin
        system:serviceaccount:default:pipeline
        system:serviceaccount:kube-system:generic-garbage-collector
        system:serviceaccount:kube-system:namespace-controller
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-cnv:cluster-network-addons-operator
        system:serviceaccount:openshift-cnv:kubevirt-controller
        system:serviceaccount:openshift-cnv:kubevirt-operator
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-infra:template-instance-controller
        system:serviceaccount:openshift-infra:template-instance-finalizer-controller
        system:serviceaccount:openshift-insights:gather
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
        system:cluster-readers
        system:masters


$ oc adm policy who-can get virtualmachineexports.export.kubevirt.io 
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: default
Verb:      get
Resource:  virtualmachineexports.export.kubevirt.io

Users:  system:admin
        system:serviceaccount:default:pipeline
        system:serviceaccount:kube-system:generic-garbage-collector
        system:serviceaccount:kube-system:namespace-controller
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-cnv:cluster-network-addons-operator
        system:serviceaccount:openshift-cnv:kubevirt-controller
        system:serviceaccount:openshift-cnv:kubevirt-exportproxy
        system:serviceaccount:openshift-cnv:kubevirt-operator
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-infra:template-instance-controller
        system:serviceaccount:openshift-infra:template-instance-finalizer-controller
        system:serviceaccount:openshift-insights:gather
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
        system:cluster-readers
        system:masters
Comment 3 errata-xmlrpc 2023-05-18 02:57:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:3205
Note You need to log in before you can comment on or make changes to this bug.