virt-operator: Remove explicit subresources permissions

The `get` verb permissions were only required for a short amount of time to allow updates from v0.43 and can be removed. The remaining `update` verb permissions are actually already included by the call to getKubeVirtComponentsRules [1] when generating the virt-operator ClusterRole. This call pulls in all rules required by KubeVirt for the operator to use as can be seen by looking at the generated rbac-operator.authorization.k8s.yaml.in file [2] from a previous commit to this PR. [1] https://github.com/kubevirt/kubevirt/blob/c4b6ae63c5a7f642ab86b0755dabca3b814ecb39/pkg/virt-operator/resource/generate/rbac/operator.go#L339-L340 [2] https://github.com/kubevirt/kubevirt/blob/43aa19c2b5417c9843f6f7ed58125391cd79c6af/manifests/generated/rbac-operator.authorization.k8s.yaml.in#L510-L519 Signed-off-by: Lee Yarwood <[email protected]>
SchSeba · Jul 8, 2022 · 04cf920 · 04cf920
1 parent c4b6ae6
commit 04cf920
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 49 deletions.
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
@@ -321,20 +321,6 @@ spec:
           - delete
           - update
           - patch
-        - apiGroups:
-          - subresources.kubevirt.io
-          resources:
-          - virtualmachineinstances/pause
-          - virtualmachineinstances/unpause
-          - virtualmachineinstances/addvolume
-          - virtualmachineinstances/removevolume
-          - virtualmachineinstances/freeze
-          - virtualmachineinstances/unfreeze
-          - virtualmachineinstances/softreboot
-          - virtualmachineinstances/portforward
-          verbs:
-          - update
-          - get
         - apiGroups:
           - ""
           resources:

diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -240,20 +240,6 @@ rules:
   - delete
   - update
   - patch
-- apiGroups:
-  - subresources.kubevirt.io
-  resources:
-  - virtualmachineinstances/pause
-  - virtualmachineinstances/unpause
-  - virtualmachineinstances/addvolume
-  - virtualmachineinstances/removevolume
-  - virtualmachineinstances/freeze
-  - virtualmachineinstances/unfreeze
-  - virtualmachineinstances/softreboot
-  - virtualmachineinstances/portforward
-  verbs:
-  - update
-  - get
 - apiGroups:
   - ""
   resources:

diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
@@ -298,27 +298,6 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
 					"get", "list", "watch", "create", "delete", "update", "patch",
 				},
 			},
-			// Until v0.43 a `get` verb was granted to these resources, but there is no get endpoint.
-			// The get permission needs to be kept on the operator level so that updates work.
-			{
-				APIGroups: []string{
-					"subresources.kubevirt.io",
-				},
-				Resources: []string{
-					"virtualmachineinstances/pause",
-					"virtualmachineinstances/unpause",
-					"virtualmachineinstances/addvolume",
-					"virtualmachineinstances/removevolume",
-					"virtualmachineinstances/freeze",
-					"virtualmachineinstances/unfreeze",
-					"virtualmachineinstances/softreboot",
-					"virtualmachineinstances/portforward",
-				},
-				Verbs: []string{
-					"update",
-					"get",
-				},
-			},
 			{
 				APIGroups: []string{
 					"",