2223776 – global permission found for cluster-network-addons-operator in cnv csv.spec.install.spec.clusterPermissions

Bug 2223776 - global permission found for cluster-network-addons-operator in cnv csv.spec.install.spec.clusterPermissions

Summary: global permission found for cluster-network-addons-operator in cnv csv.spec.i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.14.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.14.0
Assignee:	Petr Horáček
QA Contact:	Debarati Basu-Nag
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-18 20:31 UTC by Debarati Basu-Nag
Modified:	2023-11-08 14:06 UTC (History)
CC List:	0 users
Fixed In Version:	v4.14.0.rhel9-1490
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-08 14:06:02 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
cnao rules (5.81 KB, text/plain) 2023-07-18 20:31 UTC, Debarati Basu-Nag	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt cluster-network-addons-operator pull 1587	None	open	Allow restriction of Multus RBAC	2023-07-19 08:03:27 UTC
Red Hat Issue Tracker	CNV-31141	None	None	None	2023-07-18 20:32:58 UTC
Red Hat Product Errata	RHSA-2023:6817	None	None	None	2023-11-08 14:06:16 UTC

Description Debarati Basu-Nag 2023-07-18 20:31:30 UTC

Created attachment 1976390 [details]
cnao rules

Description of problem: With CNV-v4.14.0.rhel9-1274, for cluster-network-addons-operator we are seeing global permission set for one rule. 


Version-Release number of selected component (if applicable):
CNV-v4.14.0.rhel9-1274

How reproducible:
100%

Steps to Reproduce:
1. Check csv.spec.install.spec.clusterPermissions for cluster-network-addons-operator
2.
3.

Actual results:
 {
      "apiGroups": [
        "k8s.cni.cncf.io"
      ],
      "resources": [
        "*"
      ],
      "verbs": [
        "*"
      ]
    },


Expected results:
No global permission rule for cluster-network-addons-operator

Additional info:

Comment 1 Petr Horáček 2023-07-19 08:03:28 UTC

https://github.com/kubevirt/cluster-network-addons-operator/pull/1587 should allow us to disable these excessive rules. This will require a follow-up downstream HCO patch setting a new flag on the manifest templator of CNAO.

Comment 2 Petr Horáček 2023-07-27 10:29:21 UTC

Code on CNAO U/S and M/S has been merged. The last step is to update https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/hco-bundle-registry/-/blob/cnv-4.14-rhel-9/distgit/containers/hco-bundle-registry/cnv-operators-csv-generator.py#L332-389

Comment 3 Debarati Basu-Nag 2023-08-04 19:11:27 UTC

Verified against CNV-v4.14.0.rhel9-1491. The original issue reported has been fixed.

Comment 5 errata-xmlrpc 2023-11-08 14:06:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6817

Note You need to log in before you can comment on or make changes to this bug.