Bug 2217956 - volumeclonesources.cdi.kubevirt.io, volumeimportsources.cdi.kubevirt.io and volumeuploadsources.cdi.kubevirt.io are not part of system:cluster-readers
Summary: volumeclonesources.cdi.kubevirt.io, volumeimportsources.cdi.kubevirt.io and v...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.14.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.14.0
Assignee: Álvaro Romero
QA Contact: Debarati Basu-Nag
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-27 15:59 UTC by Debarati Basu-Nag
Modified: 2023-11-08 14:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-08 14:05:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt containerized-data-importer pull 2802 0 None Merged Update populator CRDs roles to include cluster-readers 2023-07-17 10:40:12 UTC
Github kubevirt containerized-data-importer pull 2806 0 None Merged [release-v1.57] Update populator CRDs roles to include cluster-readers 2023-07-17 10:40:15 UTC
Red Hat Issue Tracker CNV-30342 0 None None None 2023-06-27 16:00:14 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:06:06 UTC

Description Debarati Basu-Nag 2023-06-27 15:59:06 UTC 
Description of problem: The following crds are missing system:cluster-readers role:
volumeclonesources.cdi.kubevirt.io
volumeimportsources.cdi.kubevirt.io
volumeuploadsources.cdi.kubevirt.io


Version-Release number of selected component (if applicable):
4.14.0 

How reproducible:
100%

Steps to Reproduce:
1.   oc adm policy who-can get <crd_name>
2.
3.

Actual results:

[cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get volumeuploadsources.cdi.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: default
Verb:      get
Resource:  volumeuploadsources.cdi.kubevirt.io

Users:  system:admin
        system:serviceaccount:kube-system:generic-garbage-collector
        system:serviceaccount:kube-system:namespace-controller
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-cnv:cdi-operator
        system:serviceaccount:openshift-cnv:cdi-sa
        system:serviceaccount:openshift-cnv:kubevirt-controller
        system:serviceaccount:openshift-cnv:kubevirt-operator
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
        system:masters

[cloud-user@ocp-ipi-executor-xl ~]$
[cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get  volumeimportsources.cdi.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: default
Verb:      get
Resource:  volumeimportsources.cdi.kubevirt.io

Users:  system:admin
        system:serviceaccount:kube-system:generic-garbage-collector
        system:serviceaccount:kube-system:namespace-controller
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-cnv:cdi-operator
        system:serviceaccount:openshift-cnv:cdi-sa
        system:serviceaccount:openshift-cnv:kubevirt-controller
        system:serviceaccount:openshift-cnv:kubevirt-operator
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
        system:masters

[cloud-user@ocp-ipi-executor-xl ~]$ 

[cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get  volumeclonesources.cdi.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown> 

Namespace: default
Verb:      get
Resource:  volumeclonesources.cdi.kubevirt.io

Users:  system:admin
        system:serviceaccount:kube-system:generic-garbage-collector
        system:serviceaccount:kube-system:namespace-controller
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-cnv:cdi-operator
        system:serviceaccount:openshift-cnv:cdi-sa
        system:serviceaccount:openshift-cnv:kubevirt-controller
        system:serviceaccount:openshift-cnv:kubevirt-operator
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
        system:masters

[cloud-user@ocp-ipi-executor-xl ~]$ 


Expected results:
The command output should list system:cluster-readers group

Additional info:
Comment 1 Yan Du 2023-06-28 12:25:44 UTC 
Debarati, is it affecting the functionality ?

Alvaro, could you please take a look?
Comment 2 Álvaro Romero 2023-07-06 07:04:21 UTC 
(In reply to Yan Du from comment #1)
> Debarati, is it affecting the functionality ?
> 
> Alvaro, could you please take a look?

Sure!
Comment 3 Jenia Peimer 2023-07-20 11:54:58 UTC 
Merged starting from CNV v4.14.0.rhel9-1245
Comment 4 Debarati Basu-Nag 2023-08-04 18:32:54 UTC 
Verified with CNV-v4.14.0.rhel9-1491
Comment 6 errata-xmlrpc 2023-11-08 14:05:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6817
Note You need to log in before you can comment on or make changes to this bug.