Skip to content

fix(hypershift-kubevirt): grant networkpolicies RBAC to external infra SA#79081

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
orenc1:fix_hs_kv_external_netpol_rbac
May 12, 2026
Merged

fix(hypershift-kubevirt): grant networkpolicies RBAC to external infra SA#79081
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
orenc1:fix_hs_kv_external_netpol_rbac

Conversation

@orenc1

@orenc1 orenc1 commented May 11, 2026

Copy link
Copy Markdown
Contributor

The hypershift-operator now creates a virt-launcher NetworkPolicy on the external infrastructure cluster to enforce network isolation for KubeVirt guest VMs (openshift/hypershift#8056, OCPBUGS-78575). A new ValidKubeVirtInfraNetworkPolicyRBAC condition was added that requires the external infra service account to have networking.k8s.io/networkpolicies permissions.

The CI step that provisions the restricted infra kubeconfig was not updated to include this permission, so the e2e-hypershift-kubevirt job fails with:

  networkpolicies.networking.k8s.io "virt-launcher" is forbidden:
  User "`system:serviceaccount:guest-external-infra-ns:kv-external-infra-sa"
  cannot get resource "networkpolicies" in API group "networking.k8s.io"

Add networking.k8s.io/networkpolicies with full verbs to the kv-external-infra-role so the operator can manage the virt-launcher NetworkPolicy on the infra cluster.

KubeVirt external infrastructure RBAC update (openshift/release CI)

What changed: The CI step that creates the external infra kubeconfig for hypershift-kubevirt (ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh) now grants the kv-external-infra service account additional RBAC:

  • Adds a Role rule allowing full verbs ("*") on networking.k8s.io/networkpolicies in the external infra namespace so the hypershift operator can create/manage the virt-launcher NetworkPolicy.
  • Adds a ClusterRole (kv-external-infra-network-reader) and ClusterRoleBinding giving the same service account get access to config.openshift.io/networks (used for CIDR-based egress rules).

Why it matters: The hypershift operator was updated to enforce network isolation for KubeVirt VMs by creating virt-launcher NetworkPolicy objects on the external infra cluster. A new ValidKubeVirtInfraNetworkPolicyRBAC validation requires the external infra service account to have networkpolicy permissions; the previous CI-provisioned restricted kubeconfig lacked them, causing e2e-hypershift-kubevirt runs to fail with forbidden errors.

Impact: Aligns the CI-provisioned infra kubeconfig's permissions with operator runtime needs and fixes the e2e-hypershift-kubevirt test failures by enabling the operator to manage NetworkPolicies and read cluster network configuration.

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

The external-infra service account's Role is extended to allow full access to networkpolicies (API group networking.k8s.io), and a new cluster-scoped ClusterRole plus ClusterRoleBinding (kv-external-infra-network-reader) grant the same service account get access to networks in config.openshift.io.

Changes

External-Infra RBAC Changes

Layer / File(s) Summary
Role rule addition
ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh
Adds a Role rule granting verbs: '*' on networkpolicies (API group networking.k8s.io) for the kv-external-infra-sa in ${EXTERNAL_INFRA_NS}.
ClusterRole definition
ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh
Introduces a cluster-scoped ClusterRole named kv-external-infra-network-reader with get on networks (API group config.openshift.io).
ClusterRoleBinding
ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh
Creates a ClusterRoleBinding binding kv-external-infra-network-reader to ${SA_NAME} in ${EXTERNAL_INFRA_NS} allowing the service account to read OpenShift networks cluster config.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: granting networkpolicies RBAC to the external infrastructure service account, which directly addresses the core issue in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 11, 2026
@openshift-ci openshift-ci Bot requested review from nirarg and nunnatsa May 11, 2026 06:49
@orenc1

orenc1 commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-openshift-cluster-api-provider-kubevirt-release-4.22-e2e-hypershift-kubevirt

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

…a SA

The hypershift-operator now creates a virt-launcher NetworkPolicy on
the external infrastructure cluster to enforce network isolation for
KubeVirt guest VMs (openshift/hypershift#8056, OCPBUGS-78575). A new
ValidKubeVirtInfraNetworkPolicyRBAC condition was added that requires
the external infra service account to have networking.k8s.io/networkpolicies
permissions and cluster-scoped read access to networks.config.openshift.io
for CIDR-based egress rules.

The CI step that provisions the restricted infra kubeconfig was not
updated to include these permissions, so the e2e-hypershift-kubevirt
job fails with forbidden errors when the operator attempts to manage
the virt-launcher NetworkPolicy and read cluster network configuration.

Add networking.k8s.io/networkpolicies with full verbs to the
kv-external-infra-role, and create a ClusterRole+ClusterRoleBinding
granting get access to networks.config.openshift.io so the operator
can build CIDR-based egress restrictions for full tenant isolation.

Signed-off-by: Oren Cohen <ocohen@redhat.com>
Assisted-by: Claude <noreply@anthropic.com>
@orenc1 orenc1 force-pushed the fix_hs_kv_external_netpol_rbac branch from cf5a16d to c777e86 Compare May 11, 2026 11:57
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@orenc1: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
pull-ci-openshift-cluster-api-provider-kubevirt-main-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-5.1-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-5.0-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.23-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.22-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.21-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.20-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.19-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.18-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.17-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.16-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.15-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-cluster-api-provider-kubevirt-release-4.14-e2e-hypershift-kubevirt openshift/cluster-api-provider-kubevirt presubmit Registry content changed
pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-5.1-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-5.1-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-5.0-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-5.0-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.23-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.23-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.22-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.22-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.21-e2e-kubevirt-aws-ovn-reduced openshift/hypershift presubmit Registry content changed
pull-ci-openshift-hypershift-release-4.21-e2e-kubevirt-aws-ovn openshift/hypershift presubmit Registry content changed

A total of 61 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@orenc1

orenc1 commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-openshift-cluster-api-provider-kubevirt-release-4.22-e2e-hypershift-kubevirt

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh`:
- Around line 140-152: The ClusterRoleBinding uses a fixed cluster-scoped name
(kv-external-infra-network-reader-binding) which causes different runs with
different EXTERNAL_INFRA_NS to clobber each other; update the ClusterRoleBinding
metadata.name to include the EXTERNAL_INFRA_NS (for example append or
interpolate ${EXTERNAL_INFRA_NS}) so the binding becomes unique per external
infra namespace, and ensure any references to that binding name (if any
elsewhere in the script) are updated accordingly; keep the subjects
(ServiceAccount name ${SA_NAME} and namespace ${EXTERNAL_INFRA_NS}) and roleRef
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 76aa6fdf-3f7c-4f92-ae7a-1b3ba3144b58

📥 Commits

Reviewing files that changed from the base of the PR and between cf5a16d and c777e86.

📒 Files selected for processing (1)
  • ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh

Comment on lines +140 to +152
oc apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kv-external-infra-network-reader-binding
subjects:
- kind: ServiceAccount
name: ${SA_NAME}
namespace: ${EXTERNAL_INFRA_NS}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kv-external-infra-network-reader

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find where this step is referenced and whether EXTERNAL_INFRA_NS is overridden.
rg -n -C3 'hypershift-kubevirt-install-create-external-infra-kubeconfig|EXTERNAL_INFRA_NS' ci-operator

# Confirm the binding name is currently fixed.
rg -n -C2 'kv-external-infra-network-reader-binding' ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh

Repository: openshift/release

Length of output: 16988


🏁 Script executed:

# Check if there are any other chains or workflows that might use this step with different EXTERNAL_INFRA_NS
rg -n "hypershift-kubevirt-install-create-external-infra-kubeconfig" ci-operator --type yaml

# Look for any test configurations or multi-run scenarios
fd -e yaml -e yml ci-operator | xargs grep -l "EXTERNAL_INFRA_NS" | head -20

Repository: openshift/release

Length of output: 715


🏁 Script executed:

# Find all jobs/tests that reference the chain containing this step
rg -n "hypershift-kubevirt-run-e2e-external" ci-operator --type yaml -A 5 -B 5

# Check if EXTERNAL_INFRA_NS is ever overridden in any job configs
rg -n "EXTERNAL_INFRA_NS" ci-operator --type yaml | grep -v "default:" | head -30

Repository: openshift/release

Length of output: 9375


🏁 Script executed:

# Search for any job configs that might override EXTERNAL_INFRA_NS
fd -e yaml ci-operator/config | xargs grep -l "EXTERNAL_INFRA_NS" 2>/dev/null | head -20

# If found, show the context
fd -e yaml ci-operator/config | xargs grep -B5 -A5 "EXTERNAL_INFRA_NS" 2>/dev/null | head -50

Repository: openshift/release

Length of output: 817


🏁 Script executed:

# Search in the correct directory
find ci-operator/config -name "*.yaml" -exec grep -l "EXTERNAL_INFRA_NS" {} \; 2>/dev/null | head -20

# Show the context
find ci-operator/config -name "*.yaml" -exec grep -B3 -A3 "EXTERNAL_INFRA_NS" {} + 2>/dev/null | head -80

Repository: openshift/release

Length of output: 43


🏁 Script executed:

# Check if there are any comments or documentation about reusing the same infra cluster
rg -i "shared.*infra|reuse.*infra|multi.*run" ci-operator/step-registry/hypershift/kubevirt --type yaml --type sh -B2 -A2

# Look at the actual script to understand the scope better
cat ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh

Repository: openshift/release

Length of output: 3751


Include EXTERNAL_INFRA_NS in the ClusterRoleBinding name to prevent cross-run clobbering.

The ClusterRoleBinding kv-external-infra-network-reader-binding is cluster-scoped with a fixed name. When this step runs multiple times against the same infra cluster with different EXTERNAL_INFRA_NS values, the second run overwrites the first run's binding, breaking its permissions.

Proposed change
+CRB_NAME="kv-external-infra-network-reader-binding-${EXTERNAL_INFRA_NS}"

 oc apply -f - <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kv-external-infra-network-reader-binding
+  name: ${CRB_NAME}
 subjects:
   - kind: ServiceAccount
     name: ${SA_NAME}
     namespace: ${EXTERNAL_INFRA_NS}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kv-external-infra-network-reader
 EOF
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh`
around lines 140 - 152, The ClusterRoleBinding uses a fixed cluster-scoped name
(kv-external-infra-network-reader-binding) which causes different runs with
different EXTERNAL_INFRA_NS to clobber each other; update the ClusterRoleBinding
metadata.name to include the EXTERNAL_INFRA_NS (for example append or
interpolate ${EXTERNAL_INFRA_NS}) so the binding becomes unique per external
infra namespace, and ensure any references to that binding name (if any
elsewhere in the script) are updated accordingly; keep the subjects
(ServiceAccount name ${SA_NAME} and namespace ${EXTERNAL_INFRA_NS}) and roleRef
unchanged.

@orenc1

orenc1 commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse pull-ci-openshift-cluster-api-provider-kubevirt-release-4.22-e2e-hypershift-kubevirt

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci

openshift-ci Bot commented May 11, 2026

Copy link
Copy Markdown
Contributor

@orenc1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@orenc1

orenc1 commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse ack

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label May 12, 2026
@qinqon

qinqon commented May 12, 2026

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 12, 2026
@openshift-ci

openshift-ci Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: orenc1, qinqon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 2d8c49e into openshift:main May 12, 2026
11 checks passed
@orenc1 orenc1 deleted the fix_hs_kv_external_netpol_rbac branch May 12, 2026 17:02
mhanss pushed a commit to mhanss/release that referenced this pull request May 26, 2026
…a SA (openshift#79081)

The hypershift-operator now creates a virt-launcher NetworkPolicy on
the external infrastructure cluster to enforce network isolation for
KubeVirt guest VMs (openshift/hypershift#8056, OCPBUGS-78575). A new
ValidKubeVirtInfraNetworkPolicyRBAC condition was added that requires
the external infra service account to have networking.k8s.io/networkpolicies
permissions and cluster-scoped read access to networks.config.openshift.io
for CIDR-based egress rules.

The CI step that provisions the restricted infra kubeconfig was not
updated to include these permissions, so the e2e-hypershift-kubevirt
job fails with forbidden errors when the operator attempts to manage
the virt-launcher NetworkPolicy and read cluster network configuration.

Add networking.k8s.io/networkpolicies with full verbs to the
kv-external-infra-role, and create a ClusterRole+ClusterRoleBinding
granting get access to networks.config.openshift.io so the operator
can build CIDR-based egress restrictions for full tenant isolation.


Assisted-by: Claude <noreply@anthropic.com>

Signed-off-by: Oren Cohen <ocohen@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants