Fix permissions for userlist and filesystemlist subresources

Allow admin, edit and review accounts get access.

Signed-off-by: Roman Mohr <[email protected]>

manifests/generated/operator-csv.yaml.in

@@ -659,6 +659,8 @@ spec:
           - virtualmachineinstances/console
           - virtualmachineinstances/vnc
           - virtualmachineinstances/guestosinfo
+          - virtualmachineinstances/filesystemlist
+          - virtualmachineinstances/userlist
           verbs:
           - get
         - apiGroups:
@@ -717,6 +719,8 @@ spec:
           - virtualmachineinstances/console
           - virtualmachineinstances/vnc
           - virtualmachineinstances/guestosinfo
+          - virtualmachineinstances/filesystemlist
+          - virtualmachineinstances/userlist
           verbs:
           - get
         - apiGroups:
@@ -778,6 +782,8 @@ spec:
           - subresources.kubevirt.io
           resources:
           - virtualmachineinstances/guestosinfo
+          - virtualmachineinstances/filesystemlist
+          - virtualmachineinstances/userlist
           verbs:
           - get
         - apiGroups:

manifests/generated/rbac-operator.authorization.k8s.yaml.in

@@ -561,6 +561,8 @@ rules:
   - virtualmachineinstances/console
   - virtualmachineinstances/vnc
   - virtualmachineinstances/guestosinfo
+  - virtualmachineinstances/filesystemlist
+  - virtualmachineinstances/userlist
   verbs:
   - get
 - apiGroups:
@@ -619,6 +621,8 @@ rules:
   - virtualmachineinstances/console
   - virtualmachineinstances/vnc
   - virtualmachineinstances/guestosinfo
+  - virtualmachineinstances/filesystemlist
+  - virtualmachineinstances/userlist
   verbs:
   - get
 - apiGroups:
@@ -680,6 +684,8 @@ rules:
   - subresources.kubevirt.io
   resources:
   - virtualmachineinstances/guestosinfo
+  - virtualmachineinstances/filesystemlist
+  - virtualmachineinstances/userlist
   verbs:
   - get
 - apiGroups:

pkg/virt-operator/resource/generate/rbac/cluster.go

@@ -125,6 +125,8 @@ func newAdminClusterRole() *rbacv1.ClusterRole {
 					"virtualmachineinstances/console",
 					"virtualmachineinstances/vnc",
 					"virtualmachineinstances/guestosinfo",
+					"virtualmachineinstances/filesystemlist",
+					"virtualmachineinstances/userlist",
 				},
 				Verbs: []string{
 					"get",
@@ -212,6 +214,8 @@ func newEditClusterRole() *rbacv1.ClusterRole {
 					"virtualmachineinstances/console",
 					"virtualmachineinstances/vnc",
 					"virtualmachineinstances/guestosinfo",
+					"virtualmachineinstances/filesystemlist",
+					"virtualmachineinstances/userlist",
 				},
 				Verbs: []string{
 					"get",
@@ -308,6 +312,8 @@ func newViewClusterRole() *rbacv1.ClusterRole {
 				},
 				Resources: []string{
 					"virtualmachineinstances/guestosinfo",
+					"virtualmachineinstances/filesystemlist",
+					"virtualmachineinstances/userlist",
 				},
 				Verbs: []string{
 					"get",

tests/access_test.go

@@ -236,6 +236,8 @@ var _ = Describe("[rfe_id:500][crit:high][vendor:[email protected]][level:compon
 			table.Entry("[test_id:3233]on vm stop", "virtualmachines", "stop", allowUpdateFor("admin", "edit"), denyAllFor("view", "default")),
 			table.Entry("[test_id:3234]on vm restart", "virtualmachines", "restart", allowUpdateFor("admin", "edit"), denyAllFor("view", "default")),
 			table.Entry("on vmi guestosinfo", "virtualmachineinstances", "guestosinfo", allowGetFor("admin", "edit", "view"), denyAllFor("default")),
+			table.Entry("on vmi userlist", "virtualmachineinstances", "userlist", allowGetFor("admin", "edit", "view"), denyAllFor("default")),
+			table.Entry("on vmi filesystemlist", "virtualmachineinstances", "filesystemlist", allowGetFor("admin", "edit", "view"), denyAllFor("default")),
 		)
 	})