fix: Add ClusterRoleBinding for instancetype:view ClusterRole

[0xFelix]

What this PR does / why we need it:

This adds a ClusterRolebinding which grants every authorized user read
access to VirtualMachineCluster{Instancetype,Preference} CRs.

This allows unprivileged users to make use of
VirtualMachineCluster{Instancetypes,Preferences} by default.

Also previously the wrong constant for ClusterInstancetypes was used instead, so fix that.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes https://issues.redhat.com/browse/CNV-36300

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• Design: A design document was considered and is present (link) or not required
• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Testing: New code requires new unit tests. New features and bug fixes require at least on e2e test
• Documentation: A user-guide update was considered and is present (link) or not required. You want a user-guide update if it's a user facing feature / API change.
• Community: Announcement to kubevirt-dev was considered

Release note:

Allow unprivileged users read-only access to VirtualMachineCluster{Instancetypes,Preferences} by default.

[0xFelix]

/cc @tiraboschi
/cc @xpivarc

[0xFelix]

/retest

[fabiand]

@0xFelix please complete the checklist.

Why is this prefixed with "feat:" isn't it rather a fix to allow cluster ITs to be viewed?

[0xFelix]

IMO you could consider it both. Isn't it a feature to provide access to something which unprivileged users didn't have access to before by adding a new ClusterRoleBinding?

[fabiand]

I'd say that one of the inheritn goals of having ITs on the cluster level is to make them available to all usres (privileged or not) in order to align on this set of ITs.

IOW ITs which can not be accessed by unprivileged users seem to be useless.

[0xFelix]

Let's consider it a fix then.

[0xFelix]

/retest

[acardace]

Why don't you aggregate to the kubernetes view role like kubevirt.io:view does? This saves you from creating an additional binding.

[0xFelix]

Because the aggregated kubevirt.io:view role is bound with a RoleBinding, which does not grant access to cluster wide resources.

[0xFelix]

See #10437 for reference

[acardace]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acardace

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [acardace]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[0xFelix]

/cherry-pick release-1.1
/cherry-pick release-1.0

[kubevirt-bot]

@0xFelix: once the present PR merges, I will cherry-pick it on top of release-1.1 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.1
/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[0xFelix]

/cherry-pick release-1.0

[kubevirt-bot]

@0xFelix: once the present PR merges, I will cherry-pick it on top of release-1.0 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jcanocan]

Nice job @0xFelix! Thanks a lot!
/lgtm

[kubevirt-commenter-bot]

Required labels detected, running phase 2 presubmits:
/test pull-kubevirt-e2e-k8s-1.27-ipv6-sig-network

[0xFelix]

/retest

[0xFelix]

/retest

[kubevirt-bot]

@0xFelix: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-e2e-k8s-1.29-sig-compute	2d215db	link	unknown	/test pull-kubevirt-e2e-k8s-1.29-sig-compute
pull-kubevirt-e2e-k8s-1.27-sig-compute	2d215db	link	unknown	/test pull-kubevirt-e2e-k8s-1.27-sig-compute

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@0xFelix: #11025 failed to apply on top of branch "release-1.1":

Applying: fix: Use correct constant in ClusterPreference access test
Applying: fix: Add ClusterRoleBinding for instancetype:view ClusterRole
Using index info to reconstruct a base tree...
M	pkg/virt-operator/kubevirt_test.go
M	pkg/virt-operator/resource/generate/rbac/cluster.go
M	pkg/virt-operator/resource/generate/rbac/cluster_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster_test.go
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster.go
CONFLICT (content): Merge conflict in pkg/virt-operator/resource/generate/rbac/cluster.go
Auto-merging pkg/virt-operator/kubevirt_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 fix: Add ClusterRoleBinding for instancetype:view ClusterRole
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.1
/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kubevirt-bot]

@0xFelix: #11025 failed to apply on top of branch "release-1.0":

Applying: fix: Use correct constant in ClusterPreference access test
Applying: fix: Add ClusterRoleBinding for instancetype:view ClusterRole
Using index info to reconstruct a base tree...
M	pkg/virt-operator/kubevirt_test.go
M	pkg/virt-operator/resource/generate/rbac/cluster.go
A	pkg/virt-operator/resource/generate/rbac/cluster_test.go
M	tests/access_test.go
Falling back to patching base and 3-way merge...
Auto-merging tests/access_test.go
CONFLICT (modify/delete): pkg/virt-operator/resource/generate/rbac/cluster_test.go deleted in HEAD and modified in fix: Add ClusterRoleBinding for instancetype:view ClusterRole. Version fix: Add ClusterRoleBinding for instancetype:view ClusterRole of pkg/virt-operator/resource/generate/rbac/cluster_test.go left in tree.
Auto-merging pkg/virt-operator/resource/generate/rbac/cluster.go
CONFLICT (content): Merge conflict in pkg/virt-operator/resource/generate/rbac/cluster.go
Auto-merging pkg/virt-operator/kubevirt_test.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 fix: Add ClusterRoleBinding for instancetype:view ClusterRole
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[lyarwood]

/area instancetype

[0xFelix]

/cherry-pick release-1.1

[kubevirt-bot]

@0xFelix: new pull request created: #11077

In response to this:

/cherry-pick release-1.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.