Skip to content

CORE-12219: Add kubevirt.io RBAC to CNI plugin for KubeVirt IPAM #4477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skoryk-oleksandr merged 3 commits into from
Mar 3, 2026
+36 −3
Merged

CORE-12219: Add kubevirt.io RBAC to CNI plugin for KubeVirt IPAM #4477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0ef1e69
CORE-12219: Add kubevirt.io RBAC to CNI plugin for KubeVirt IPAM
skoryk-oleksandr Feb 25, 2026
c8d98a8
CORE-12219: Adjust kubevirt.io RBAC for CNI plugin and Kubecontrollers
skoryk-oleksandr Feb 25, 2026
be2641e
CORE-12219: Update RBAC permissions for IPAM GC controller to include…
skoryk-oleksandr Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions pkg/render/kubecontrollers/kube-controllers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,12 @@ func kubeControllersRoleCommonRules(cfg *KubeControllersConfiguration) []rbacv1.
},
Verbs: []string{"get", "list", "watch", "create", "update", "delete"},
},
{
// The IPAM GC controller uses informers to list/watch KubeVirt VMs/VMIs for IP garbage collection.
APIGroups: []string{"kubevirt.io"},
Resources: []string{"virtualmachineinstances", "virtualmachines"},
Verbs: []string{"get", "list", "watch"},
},
}

if cfg.Installation.KubernetesProvider.IsOpenShift() {
Expand Down
19 changes: 16 additions & 3 deletions pkg/render/kubecontrollers/kube-controllers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,19 @@ var _ = Describe("kube-controllers rendering tests", func() {
}))
})

It("should include kubevirt.io RBAC rules in calico-kube-controllers ClusterRole", func() {
component := kubecontrollers.NewCalicoKubeControllers(&cfg)
Expect(component.ResolveImages(nil)).To(BeNil())
resources, _ := component.Objects()

role := rtest.GetResource(resources, "calico-kube-controllers", "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole)
Expect(role.Rules).To(ContainElement(rbacv1.PolicyRule{
APIGroups: []string{"kubevirt.io"},
Resources: []string{"virtualmachineinstances", "virtualmachines"},
Verbs: []string{"get", "list", "watch"},
}))
})

It("should render all resources for a custom configuration", func() {
expectedResources := []struct {
name string
Expand Down Expand Up @@ -252,7 +265,7 @@ var _ = Describe("kube-controllers rendering tests", func() {
Expect(len(dp.Spec.Template.Spec.Volumes)).To(Equal(1))

clusterRole := rtest.GetResource(resources, kubecontrollers.KubeControllerRole, "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole)
Expect(clusterRole.Rules).To(HaveLen(24), "cluster role should have 24 rules")
Expect(clusterRole.Rules).To(HaveLen(25), "cluster role should have 25 rules")

ms := rtest.GetResource(resources, kubecontrollers.KubeControllerMetrics, common.CalicoNamespace, "", "v1", "Service").(*corev1.Service)
Expect(ms.Spec.ClusterIP).To(Equal("None"), "metrics service should be headless")
Expand Down Expand Up @@ -339,7 +352,7 @@ var _ = Describe("kube-controllers rendering tests", func() {
Expect(dp.Spec.Template.Spec.Volumes[0].ConfigMap.Name).To(Equal("tigera-ca-bundle"))

clusterRole := rtest.GetResource(resources, kubecontrollers.EsKubeControllerRole, "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole)
Expect(clusterRole.Rules).To(HaveLen(22), "cluster role should have 22 rules")
Expect(clusterRole.Rules).To(HaveLen(23), "cluster role should have 23 rules")
Expect(clusterRole.Rules).To(ContainElement(
rbacv1.PolicyRule{
APIGroups: []string{""},
Expand Down Expand Up @@ -550,7 +563,7 @@ var _ = Describe("kube-controllers rendering tests", func() {
Expect(dp.Spec.Template.Spec.Containers[0].Image).To(Equal("test-reg/tigera/kube-controllers:" + components.ComponentTigeraKubeControllers.Version))

clusterRole := rtest.GetResource(resources, kubecontrollers.EsKubeControllerRole, "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole)
Expect(clusterRole.Rules).To(HaveLen(22), "cluster role should have 22 rules")
Expect(clusterRole.Rules).To(HaveLen(23), "cluster role should have 23 rules")
Expect(clusterRole.Rules).To(ContainElement(
rbacv1.PolicyRule{
APIGroups: []string{""},
Expand Down
6 changes: 6 additions & 0 deletions pkg/render/node.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,12 @@ func (c *nodeComponent) cniPluginRole() *rbacv1.ClusterRole {
},
Verbs: []string{"get", "list", "create", "update", "delete"},
},
{
// The CNI plugin reads KubeVirt resources for IPAM of KubeVirt workloads.
APIGroups: []string{"kubevirt.io"},
Resources: []string{"virtualmachineinstances", "virtualmachines"},
Verbs: []string{"get"},
},
},
}
return role
Expand Down
8 changes: 8 additions & 0 deletions pkg/render/node_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,14 @@ var _ = Describe("Node rendering tests", func() {
i++
}

// calico-cni-plugin clusterRole should have kubevirt.io PolicyRule for IPAM of KubeVirt workloads.
cniRole := rtest.GetResource(resources, "calico-cni-plugin", "", "rbac.authorization.k8s.io", "v1", "ClusterRole").(*rbacv1.ClusterRole)
Expect(cniRole.Rules).To(ContainElement(rbacv1.PolicyRule{
APIGroups: []string{"kubevirt.io"},
Resources: []string{"virtualmachineinstances", "virtualmachines"},
Verbs: []string{"get"},
}))

// Check CNI configmap.
cniCmResource := rtest.GetResource(resources, "cni-config", "calico-system", "", "v1", "ConfigMap")
Expect(cniCmResource).ToNot(BeNil())
Expand Down
Loading