Skip to content

fix(module): extend virtualization RBACv1/RBACv2 coverage#2276

Merged
fl64 merged 8 commits into
mainfrom
fix/module/extend-rbac-coverage
Apr 28, 2026
Merged

fix(module): extend virtualization RBACv1/RBACv2 coverage#2276
fl64 merged 8 commits into
mainfrom
fix/module/extend-rbac-coverage

Conversation

@fl64
Copy link
Copy Markdown
Member

@fl64 fl64 commented Apr 26, 2026
edited by Isteb4k
Loading

Description

Extend virtualization RBAC coverage in both RBACv1 and RBACv2.

The change adds missing permissions for:

  • virtualmachinemacaddresses
  • virtualmachinemacaddressleases
  • virtualmachinesnapshotoperations
  • nodeusbdevices

It also introduces a separate RBACv2 capability for snapshot operations:

  • d8:use:capability:virtualization:execute_virtualmachinesnapshot_operations

Why do we need it, and what problem does it solve?

Some virtualization API resources were missing from module RBAC templates, and RBACv1/RBACv2 coverage was inconsistent.

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

   section: module                                                                                                             
   type: fix                                                                                                                   
   summary: "Added missing RBAC permissions for virtualization resources, including virtual machine MAC addresses, snapshot operations, and node USB devices."

@fl64 fl64 self-assigned this Apr 26, 2026
@fl64 fl64 changed the title fix(module): extend virtualization RBACv1 coverage fix(module): extend virtualization RBACv1/RBACv2 coverage Apr 26, 2026
@fl64 fl64 marked this pull request as ready for review April 26, 2026 13:00
@fl64 fl64 requested a review from Isteb4k as a code owner April 26, 2026 13:00
@fl64 fl64 added this to the v1.8.1 milestone Apr 26, 2026
Isteb4k
Isteb4k requested changes Apr 28, 2026
View reviewed changes
Comment thread templates/user-authz-cluster-roles.yaml
Comment thread templates/user-authz-cluster-roles.yaml Outdated
- virtualization.deckhouse.io
resources:
- virtualmachineoperations
- virtualmachinesnapshotoperations
Copy link
Copy Markdown
Contributor

@Isteb4k Isteb4k Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PrivilegedUser: The same as User + can exec into containers, read secrets, and delete pods (and thus, restart them).

It looks like it should also be able to delete virtual machines.

Copy link
Copy Markdown
Member Author

@fl64 fl64 Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it doesn't fit into the logic of VM operation

Comment thread templates/user-authz-cluster-roles.yaml
Comment thread templates/user-authz-cluster-roles.yaml Outdated
Copy link
Copy Markdown
Contributor

@Isteb4k Isteb4k Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn’t match the documentation at all. But I guess we can leave it like this for now

Comment thread templates/user-authz-cluster-roles.yaml
Comment thread templates/user-authz-cluster-roles.yaml Outdated
- virtualization.deckhouse.io
resources:
- virtualmachineoperations
- virtualmachinesnapshotoperations
Copy link
Copy Markdown
Contributor

@Isteb4k Isteb4k Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

virtualmachinesnapshotoperations will allow the user to create virtual machines. But a PrivilegedUser shouldn’t be able to do that

Copy link
Copy Markdown
Member Author

@fl64 fl64 Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep
moved it to Editor and vmop too

Comment thread templates/rbacv2/manage/permissions/manage_internals.yaml
fl64 added 2 commits April 28, 2026 17:19
@fl64
fix(module): disallow creating vmip/vmmac
c40fa24
@fl64
fix(module): align RBACv1
74eee32 
Signed-off-by: Pavel Tishkov <pavel.tishkov@flant.com>
@fl64 fl64 requested a review from Isteb4k April 28, 2026 14:54
@fl64 fl64 merged commit 3646dbe into main Apr 28, 2026
26 of 28 checks passed
@fl64 fl64 deleted the fix/module/extend-rbac-coverage branch April 28, 2026 14:55
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Apr 28, 2026
Merged
Isteb4k pushed a commit that referenced this pull request Apr 28, 2026
@fl64 @Isteb4k
fix(module): extend virtualization RBACv1/RBACv2 coverage (#2276)
33fd871 
Signed-off-by: Pavel Tishkov <pavel.tishkov@flant.com>

Extend virtualization RBAC coverage in both RBACv1 and RBACv2.

The change adds missing permissions for:

- virtualmachinemacaddresses
- virtualmachinemacaddressleases
- virtualmachinesnapshotoperations
- nodeusbdevices

It also introduces a separate RBACv2 capability for snapshot operations:

d8:use:capability:virtualization:execute_virtualmachinesnapshot_operations
(cherry picked from commit 3646dbe)
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Apr 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

Assignees

@fl64 fl64

Labels

None yet

Projects

None yet

Milestone

v1.8.1

Development

Successfully merging this pull request may close these issues.

2 participants

@fl64 @Isteb4k