chore(core): fix RBAC for cdi-operator (#1729)

nevermarine · web-flow · commit 7375bfaf4884 · 2025-11-22T12:07:11.000+03:00
Signed-off-by: Maksim Fedotov &lt;maksim.fedotov@flant.com&gt;
diff --git a/.dmtlint.yaml b/.dmtlint.yaml
@@ -13,11 +13,13 @@ linters-settings:
         - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.contentType"
   rbac:
     exclude-rules:
-      # We exclude RBAC rules for virt-operator because it creates ClusterRoles and ClusterRoleBindings with wildcards.
-      # If we remove wildcard, virt-operator will be unable to create them, as it does not have wildcard permissions itself.
+      # We exclude RBAC rules for virt-operator and cdi-operator because they create ClusterRoles and ClusterRoleBindings with wildcards.
+      # If we remove wildcard, virt-operator and cdi-operator will be unable to create them, as they do not have wildcard permissions themselves.
       wildcards:
         - kind: ClusterRole
           name: d8:virtualization:kubevirt-operator
+        - kind: ClusterRole
+          name: d8:containerized-data-importer:cdi-operator
 
       # We exclude RBAC rules for CDI and Kubevirt resources because they are used by upstream deployments.
       # Changing these rules will require patching upstream code.
diff --git a/templates/cdi/cdi-operator/rbac-for-us.yaml b/templates/cdi/cdi-operator/rbac-for-us.yaml
@@ -41,40 +41,11 @@ rules:
     - delete
 - apiGroups:
     - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdiconfigs
-    - internalvirtualizationcdis
-    - internalvirtualizationcdis/finalizers
-    - internalvirtualizationdataimportcrons
-    - internalvirtualizationdatasources
-    - internalvirtualizationdatavolumes
-    - internalvirtualizationobjecttransfers
-    - internalvirtualizationstorageprofiles
-    - internalvirtualizationvolumeclonesources
-    - internalvirtualizationvolumeimportsources
-    - internalvirtualizationvolumeuploadsources
-    - internalvirtualizationopenstackvolumepopulators
-    - internalvirtualizationovirtvolumepopulators
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
-- apiGroups:
     - upload.cdi.kubevirt.io
   resources:
-    - uploadtokenrequests
+    - '*'
   verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-    - patch
-    - delete
+    - '*'
 - apiGroups:
     - admissionregistration.k8s.io
   resources:
