Allow kubevirt:view role to get,list kubevirts

Kubevirt resource is in category all. `kubectl get all` or `virtctl permitted-devices` fails if the user don't have the permissions to list Kubevirt resource. Signed-off-by: fossedihelm <[email protected]>
zyjj1 · Nov 22, 2023 · 38ba821 · 38ba821
1 parent f920d48
commit 38ba821
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
@@ -1151,6 +1151,13 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - kubevirt.io
+          resources:
+          - kubevirts
+          verbs:
+          - get
+          - list
         - apiGroups:
           - subresources.kubevirt.io
           resources:

diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -1091,6 +1091,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - kubevirts
+  verbs:
+  - get
+  - list
 - apiGroups:
   - subresources.kubevirt.io
   resources:

diff --git a/pkg/virt-operator/resource/generate/rbac/cluster.go b/pkg/virt-operator/resource/generate/rbac/cluster.go
@@ -516,6 +516,17 @@ func newViewClusterRole() *rbacv1.ClusterRole {
 			},
 		},
 		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{
+					GroupName,
+				},
+				Resources: []string{
+					"kubevirts",
+				},
+				Verbs: []string{
+					"get", "list",
+				},
+			},
 			{
 				APIGroups: []string{
 					GroupNameSubresources,