This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2223775 - global permission found for ssp operator in cnv csv.spec.install.spec.clusterPermissions
Summary: global permission found for ssp operator in cnv csv.spec.install.spec.cluster...
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Infrastructure
Version: 4.14.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.14.2
Assignee: Javier Cano Cano
QA Contact: Geetika Kapoor
URL:
Whiteboard:
Depends On: 2238027
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-18 20:18 UTC by Debarati Basu-Nag
Modified: 2024-02-19 07:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-12-14 16:15:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ssp operator rules (11.33 KB, text/plain)
2023-07-18 20:18 UTC, Debarati Basu-Nag 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt kubevirt-tekton-tasks pull 259 0 None Merged rbac: Audit `*` verbs 2023-09-27 07:45:16 UTC
Github kubevirt ssp-operator pull 684 0 None open rbac: Audit `*` verbs of kubevirt-tekton-tasks 2023-09-27 07:44:35 UTC
Red Hat Issue Tracker   CNV-31140 0 None None None 2023-12-14 16:15:07 UTC

Description Debarati Basu-Nag 2023-07-18 20:18:09 UTC 
Created attachment 1976389 [details]
ssp operator rules

Description of problem: With CNV-v4.14.0.rhel9-1274, for ssp operator we are seeing global permission set for multiple rules. Since https://issues.redhat.com/browse/CNV-24031 is now closed, opening this bug to track the current failures.


Version-Release number of selected component (if applicable):
CNV-v4.14.0.rhel9-1274

How reproducible:
100%

Steps to Reproduce:
1. Check csv.spec.install.spec.clusterPermissions for ssp-operator
2.
3.

Actual results:
================
- apiGroups:
  - '*'
  resources:
  - persistentvolumeclaims
  verbs:
  - '*'
- apiGroups:
  - '*'
  resources:
  - secrets
  verbs:
  - '*'
- apiGroups:
  - cdi.kubevirt.io
  resources:
  - datavolumes
  verbs:
  - '*'
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - kubevirt.io
  resources:
  - virtualmachines/finalizers
  verbs:
  - '*'
===============

Expected results:
No global permission for ssp operator should be present.

Additional info:
Comment 2 Debarati Basu-Nag 2023-08-31 02:14:09 UTC 
@jcanocan 
1) yes, we should not have any "*" permissions, should have specific permissions instead
2) since https://issues.redhat.com/browse/CNV-24031 is targeted for 4.14 and this bug is against the work done for this, I would say the this should be addressed to fully close any RBAC work done for SSP operator.
3) test was developed for RBAC work done against various operators in 4.14, and failure indicates the work for these epics are not complete in 4.14, as originally intended.

Please let me know if you need anything else from my side.
Comment 3 Javier Cano Cano 2023-09-07 14:43:47 UTC 
We are addressing this bug. These two PRs should fix this issue: https://github.com/kubevirt/kubevirt-tekton-tasks/pull/259 https://github.com/kubevirt/ssp-operator/pull/684
I will let you know when they are merged.
Thanks!
Note You need to log in before you can comment on or make changes to this bug.