Provide RBAC rules for virtualmachines-apb

Question

Provide RBAC rules for virtualmachines-apb

Closed this issue 7 years ago · 5 comments

The virtualmachines-apb requires we run as cluster-admin. We should be able to add rbac rules for kubevirt to create for the virtualmachines-apb so that it can run as non cluster-admin.

Answer 1 · 2018-03-13T12:06:03.000Z

i dont think adding rbac rules will do the trick, as the crd is created within the apb

Answer 2 · 2018-03-13T12:16:50.000Z

@karmab are you saying that the CRD, the API for the VM, doesn't exist until the vm is created so we can't create any rules for it because k8s doesn't what the API we're talking about?

Can we create the CRD here?

Answer 3 · 2018-03-13T12:45:21.000Z

actually what i meant is that the apb would be creating a vm object (crd) living in a different namespace than the one it s currently deployed, for me this didnt work, but maybe i m wrong ( and it has to do with the next section ).

but it's worse, because even if the apb can create objects in the destination namespace, we would get errors like the following, though the user does belong to the indicated namespace

[jmayer@master01 ~]$ oc get vm
Error from server (Forbidden): virtualmachines.kubevirt.io is forbidden: User "jmayer" cannot list virtualmachines.kubevirt.io in the namespace "woodstock": User "jmayer" cannot list virtualmachines.kubevirt.io in project "woodstock"

Answer 4 · 2018-06-26T12:46:31.000Z

@rthallisey is this still relevant? or did it become obsolete with the latest changes in kubevirt roles mgmt?

Answer 5 · 2018-06-26T12:52:41.000Z

@nellyc closed. Aggregated roles were added.