From 50995a9e76a1ed639461ec348f0706ce85b15950 Mon Sep 17 00:00:00 2001 From: Maksim Fedotov Date: Fri, 21 Nov 2025 15:41:17 +0300 Subject: [PATCH 1/2] chore(ci): fix RBAC for cdi-operator Signed-off-by: Maksim Fedotov --- .dmtlint.yaml | 6 ++-- templates/cdi/cdi-operator/rbac-for-us.yaml | 39 +++++---------------- 2 files changed, 12 insertions(+), 33 deletions(-) diff --git a/.dmtlint.yaml b/.dmtlint.yaml index dd21da65e5..f0ce5eaa39 100644 --- a/.dmtlint.yaml +++ b/.dmtlint.yaml @@ -13,11 +13,13 @@ linters-settings: - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.contentType" rbac: exclude-rules: - # We exclude RBAC rules for virt-operator because it creates ClusterRoles and ClusterRoleBindings with wildcards. - # If we remove wildcard, virt-operator will be unable to create them, as it does not have wildcard permissions itself. + # We exclude RBAC rules for virt-operator and cdi-operator because they create ClusterRoles and ClusterRoleBindings with wildcards. + # If we remove wildcard, virt-operator and cdi-operator will be unable to create them, as they do not have wildcard permissions themselves. wildcards: - kind: ClusterRole name: d8:virtualization:kubevirt-operator + - kind: ClusterRole + name: d8:containerized-data-importer:cdi-operator # We exclude RBAC rules for CDI and Kubevirt resources because they are used by upstream deployments. # Changing these rules will require patching upstream code. diff --git a/templates/cdi/cdi-operator/rbac-for-us.yaml b/templates/cdi/cdi-operator/rbac-for-us.yaml index e4891717f3..2ef29ec190 100644 --- a/templates/cdi/cdi-operator/rbac-for-us.yaml +++ b/templates/cdi/cdi-operator/rbac-for-us.yaml @@ -41,40 +41,11 @@ rules: - delete - apiGroups: - cdi.internal.virtualization.deckhouse.io - resources: - - internalvirtualizationcdiconfigs - - internalvirtualizationcdis - - internalvirtualizationcdis/finalizers - - internalvirtualizationdataimportcrons - - internalvirtualizationdatasources - - internalvirtualizationdatavolumes - - internalvirtualizationobjecttransfers - - internalvirtualizationstorageprofiles - - internalvirtualizationvolumeclonesources - - internalvirtualizationvolumeimportsources - - internalvirtualizationvolumeuploadsources - - internalvirtualizationopenstackvolumepopulators - - internalvirtualizationovirtvolumepopulators - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - upload.cdi.kubevirt.io resources: - - uploadtokenrequests + - '*' verbs: - - get - - list - - watch - - create - - update - - patch - - delete + - '*' - apiGroups: - admissionregistration.k8s.io resources: @@ -250,6 +221,12 @@ rules: - clusterversions verbs: - get +- apiGroups: + - cdi.internal.virtualization.deckhouse.io + resources: + - '*' + verbs: + - '*' - apiGroups: - storage.deckhouse.io resources: From 86ffd7c7539508922c0a53e51f6bdf59721f3814 Mon Sep 17 00:00:00 2001 From: Maksim Fedotov Date: Fri, 21 Nov 2025 20:03:01 +0300 Subject: [PATCH 2/2] remove double wildcard Signed-off-by: Maksim Fedotov --- templates/cdi/cdi-operator/rbac-for-us.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/templates/cdi/cdi-operator/rbac-for-us.yaml b/templates/cdi/cdi-operator/rbac-for-us.yaml index 2ef29ec190..2f6bc7722b 100644 --- a/templates/cdi/cdi-operator/rbac-for-us.yaml +++ b/templates/cdi/cdi-operator/rbac-for-us.yaml @@ -221,12 +221,6 @@ rules: - clusterversions verbs: - get -- apiGroups: - - cdi.internal.virtualization.deckhouse.io - resources: - - '*' - verbs: - - '*' - apiGroups: - storage.deckhouse.io resources: