From 75bf9c22bb0f722aa5c8f5795410b8babdc58273 Mon Sep 17 00:00:00 2001
From: Daniil Antoshin <daniil.antoshin@flant.com>
Date: Mon, 25 May 2026 08:57:13 +0200
Subject: [PATCH] fix(rbac): allow listing nodes for VM migration

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>

fix(rbac): remove extra node get permission

Signed-off-by: Daniil Antoshin <daniil.antoshin@flant.com>
---
 .../capabilities/execute_virtualmachine_operations.yaml    | 7 +++++++
 templates/user-authz-cluster-roles.yaml                    | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml b/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml
index 1fcc253e55..ff10bc0c58 100644
--- a/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml
+++ b/templates/rbacv2/use/capabilities/execute_virtualmachine_operations.yaml
@@ -18,3 +18,10 @@ rules:
   - patch
   - delete
   - deletecollection
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
diff --git a/templates/user-authz-cluster-roles.yaml b/templates/user-authz-cluster-roles.yaml
index 4ed0300901..f3f7ac87ef 100644
--- a/templates/user-authz-cluster-roles.yaml
+++ b/templates/user-authz-cluster-roles.yaml
@@ -87,6 +87,13 @@ rules:
   - deletecollection
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole