Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions api/hypershift/v1beta1/hostedcluster_conditions.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,15 @@ const (
// performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes
ValidKubeVirtInfraNetworkMTU ConditionType = "ValidKubeVirtInfraNetworkMTU"

// ValidKubeVirtInfraNetworkPolicyRBAC indicates whether the external infra
// kubeconfig has sufficient permissions to create/update the virt-launcher network policy
// on the infrastructure cluster. This covers both reading the
// cluster network configuration (networks.config.openshift.io) for CIDR-
// based egress blocking and creating/updating NetworkPolicy resources in
// the infra namespace. When false, tenant isolation may be weaker: the
// NetworkPolicy may be missing or lack CIDR-based egress restrictions.
ValidKubeVirtInfraNetworkPolicyRBAC ConditionType = "ValidKubeVirtInfraNetworkPolicyRBAC"
Comment thread
coderabbitai[bot] marked this conversation as resolved.

// KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt
// hosted cluster can be live migrated without experiencing a node restart
KubeVirtNodesLiveMigratable ConditionType = "KubeVirtNodesLiveMigratable"
Expand Down Expand Up @@ -279,6 +288,9 @@ const (
InvalidIdentityProvider = "InvalidIdentityProvider"
PayloadArchNotFoundReason = "PayloadArchNotFound"

InfraClusterNetworkReadFailedReason = "InfraClusterNetworkReadFailed"
InfraClusterNetworkPolicyCreateFailedReason = "InfraClusterNetworkPolicyCreateFailed"

InvalidIAMRoleReason = "InvalidIAMRole"

InvalidAzureCredentialsReason = "InvalidAzureCredentials"
Expand Down
53 changes: 51 additions & 2 deletions docs/content/how-to/kubevirt/external-infrastructure.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,13 +63,19 @@ The user or service account used in the provided kubeconfig should have full per
* `endpointslices`
* `endpointslices/restricted`
* `routes`
* `networkpolicies`
The user or service account used in the provided kubeconfig should also have get/create/delete permissions over the following resources:
* `volumesnapshots`
As well as get permission for:
As well as get/create/update permission for:
* `events`
And get permission for:
* `persistentvolumeclaims`

All of these permissions are needed only on the target namespace on the infra cluster (passed through the `--infra-namespace` command-line argument).
This can be achieved by binding the following Role to the user used in the external infra kubeconfig:

In addition, the HyperShift operator reads the infrastructure cluster's network configuration (`networks.config.openshift.io`) to build a virt-launcher NetworkPolicy that blocks egress to the infra cluster's internal pod/service networks. This resource is **cluster-scoped**, so it requires a separate ClusterRole and ClusterRoleBinding (see below). If this permission is not granted, the NetworkPolicy is still created but without CIDR-based egress blocking, and a `ValidKubeVirtInfraNetworkPolicyRBAC=False` condition is set on the HostedCluster along with a warning event in the infrastructure cluster namespace.

This can be achieved by binding the following Role **and** ClusterRole to the user used in the external infra kubeconfig:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down Expand Up @@ -117,6 +123,20 @@ rules:
- secrets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- '*'
- apiGroups:
- ''
resources:
- events
verbs:
- get
- create
- update
- apiGroups:
- snapshot.storage.k8s.io
resources:
Expand All @@ -132,3 +152,32 @@ rules:
verbs:
- get
```

For full virt-launcher network isolation, also create a ClusterRole and ClusterRoleBinding
to allow reading the infrastructure cluster's network configuration:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kv-external-infra-network-reader
rules:
- apiGroups:
- config.openshift.io
resources:
- networks
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kv-external-infra-network-reader-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kv-external-infra-network-reader
subjects:
- kind: ServiceAccount
name: hcp-infra-sa
namespace: clusters-example
```
62 changes: 60 additions & 2 deletions docs/content/reference/aggregated-docs.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions docs/content/reference/api.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -2039,6 +2039,14 @@ func (r *HostedClusterReconciler) reconcile(ctx context.Context, req ctrl.Reques
// Reconcile platform specific items
switch hcluster.Spec.Platform.Type {
case hyperv1.KubevirtPlatform:
if hcluster.Spec.Platform.Kubevirt != nil && hcluster.Spec.Platform.Kubevirt.Credentials != nil {
if err := r.Client.Status().Update(ctx, hcluster); err != nil {
Comment thread
dpateriya marked this conversation as resolved.
if apierrors.IsConflict(err) {
return ctrl.Result{Requeue: true}, nil
}
return ctrl.Result{}, fmt.Errorf("failed to update status after network policy RBAC check: %w", err)
}
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
err = r.reconcileKubevirtCSIClusterRBAC(ctx, createOrUpdate, hcluster)
if err != nil {
return ctrl.Result{}, fmt.Errorf("failed to reconcile kubevirt CSI cluster wide RBAC: %w", err)
Expand Down
Loading