OCPBUGS-35387: rbac: Add network resources to cluster-reader role

[mattedallo]

Add read permissions (i.e. get, list, watch) for network-related resources to the cluster-reader ClusterRole aggregation. The resources are:

• egressrouters.network.operator.openshift.io
• network-attachment-definitions.k8s.cni.cncf.io
• networks.operator.openshift.io

Fixes: OCPBUGS-35387

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[mattedallo]

/retest

[openshift-ci-robot]

@mattedallo: This pull request references Jira Issue OCPBUGS-35387, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Add read permissions (i.e. get, list, watch) for network-related resources to the cluster-reader ClusterRole aggregation. The resources are:

• egressrouters.network.operator.openshift.io
• network-attachment-definitions.k8s.cni.cncf.io
• networks.operator.openshift.io

Fixes: OCPBUGS-35387

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mattedallo]

/jira refresh

[openshift-ci-robot]

@mattedallo: This pull request references Jira Issue OCPBUGS-35387, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mattedallo]

/retest-required

[pliurh]

@mattedallo did you check if the cluster-reader role gets the permissions in an OCP cluster with the patch?

[mattedallo]

Hi @pliurh , Yes I tested it.
Let me paste the tests I made here and in the bug:

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0.nightly-2025-10-22-141259   True        False         4m58s   Cluster version is 4.19.0-0.nightly-2025-10-22-141259


$ oc new-project test-project
Now using project "test-project" on server "https://api.ci-ln-9wmpp2t-76ef8.origin-ci-int-aws.dev.rhcloud.com:6443".

$ oc create sa test-user -n test-project
serviceaccount/test-user created


$ oc auth can-i list network-attachment-definitions.k8s.cni.cncf.io --as=system:serviceaccount:test-project:test-user
no

$ oc auth can-i list egressrouters.network.operator.openshift.io --as=system:serviceaccount:test-project:test-user
no

$ oc auth can-i list networks.operator.openshift.io --as=system:serviceaccount:test-project:test-user
Warning: resource 'networks' is not namespace scoped in group 'operator.openshift.io'

no


$ oc adm policy add-cluster-role-to-user cluster-reader -z test-user -n test-project
clusterrole.rbac.authorization.k8s.io/cluster-reader added: "test-user"

$ oc auth can-i list network-attachment-definitions.k8s.cni.cncf.io --as=system:serviceaccount:test-project:test-user
yes

$ oc auth can-i list egressrouters.network.operator.openshift.io --as=system:serviceaccount:test-project:test-user
yes

$ oc auth can-i list networks.operator.openshift.io --as=system:serviceaccount:test-project:test-user
Warning: resource 'networks' is not namespace scoped in group 'operator.openshift.io'

yes

[mattedallo]

/retest

[arkadeepsen]

The bug description mentions other CRDs as well. Shouldn't the other CRDs also be included?

We shall grant permissions to the view default role for network CRDs:
- adminnetworkpolicies.policy.networking.k8s.io
- baselineadminnetworkpolicies.policy.networking.k8s.io
- clusternetworks.network.openshift.io
- egressnetworkpolicies.network.openshift.io
- egressrouters.network.operator.openshift.io
- hostsubnets.network.openshift.io
- netnamespaces.network.openshift.io
- network-attachment-definitions.k8s.cni.cncf.io
- networks.operator.openshift.io

[mattedallo]

I left a comment on the bug about this.

I will share it also here, let me know your thoughts :

"""

The following resources from the original ticket were intentionally excluded from the cluster-reader permissions in the main branch commit:

• clusternetworks.network.openshift.io
• egressnetworkpolicies.network.openshift.io
• hostsubnets.network.openshift.io
• netnamespaces.network.openshift.io

Rationale

These resources are deprecated as they are exclusively used by OpenShift SDN, which is no longer supported in current releases. This is documented in the API definitions:

// ClusterNetwork was used by OpenShift SDN.
// DEPRECATED: OpenShift SDN is no longer supported and this object is no longer used in any way by OpenShift.

Codebase Analysis

A thorough analysis of the cluster-network-operator codebase confirms these resources are only referenced in:

1. OpenShift SDN implementation code
   - pkg/network/openshift_sdn.go - Creates ClusterNetwork objects for SDN
   - bindata/network/openshift-sdn/002-rbac.yaml - SDN RBAC permissions
   - bindata/network/openshift-sdn/003-rbac-controller.yaml - SDN controller RBAC
2. Network type migration code (SDN ↔ OVN transitions)
   - pkg/controller/operconfig/migration.go - Handles live migration scenarios
3. Test files
   - Various test files in pkg/ directory

No references exist in core OVN-Kubernetes functionality, confirming these resources are not needed for normal OVN-Kubernetes operation.

Backporting Plan

For backports to release-4.16 and earlier versions that still support OpenShift SDN, these resources will be included in the cluster-reader permissions to maintain compatibility with clusters running OpenShift SDN.

Resources Actually Added

The commit correctly added the following non-deprecated network resources to cluster-reader:

• egressrouters.network.operator.openshift.io
• networks.operator.openshift.io
• network-attachment-definitions.k8s.cni.cncf.io

"""

[arkadeepsen]

/lgtm

/cc @kyrtapz

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arkadeepsen, mattedallo
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Three new read-only RBAC rules were added to the cluster-reader ClusterRole in the OVN-Kubernetes RBAC configuration. The additions grant permissions to access egressrouters, networks, and network-attachment-definitions resources across three API groups.

Changes

Cohort / File(s)	Summary
RBAC Cluster-Reader Configuration bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml	Added three new read-only RBAC rules: egressrouters (network.operator.openshift.io), networks (operator.openshift.io), and network-attachment-definitions (k8s.cni.cncf.io). All rules grant get, list, and watch verbs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Additive-only changes with no modifications to existing rules
• Straightforward permission rules following consistent patterns
• Single configuration file affected

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c563eb4 and 93ab506.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml (1 hunks)

🔇 Additional comments (1)

bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml (1)

40-60: LGTM — RBAC rules correctly added and tested.

The three new rules grant read-only access (get, list, watch) to the specified network resources and are properly aggregated into the cluster-reader role. The API group and resource names are correct, the verbs match the cluster-reader intent, and the formatting is consistent with existing rules. Per your testing, these permissions work correctly in OCP clusters.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@mattedallo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	93ab506	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade	93ab506	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-gcp-ovn-upgrade
ci/prow/security	93ab506	link	false	/test security
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	93ab506	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade	93ab506	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-azure-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mattedallo]

@kyrtapz when you have time please take a look. Thanks

[kyrtapz]

While I am ok with the other two I am not really sure what is the general approach for operator.openshift.io CRDs across OCP.
From what I've seen there are no other operator CRDs added to the cluster-reader.
@pliurh @mattedallo were you able to find that out?

[mattedallo]

@kyrtapz Thank you for raising this concern. I've checked the RBAC patterns across OpenShift operators, and I indeed it seems no operator.openshift.io resources are currently exposed to cluster-reader across the entire platform. Our proposed change would be the first exception to this pattern.

Investigation Findings / My understanding

Listing my findings/understanding below, most of them might be trivial for a seasoned Red Hat engineer but helps me validate if my understanding is correct.

Pattern Confirmed Across All Operators

I verified that zero out of 21 operator.openshift.io/v1 resources have aggregate-to-cluster-reader or aggregate-to-view labels.

For comparison, here are operators that do have cluster-reader access, but for different API groups (NOT operator.openshift.io):

• machine-config-operator: Exposes machineconfiguration.openshift.io and config.openshift.io (source)
• cluster-samples-operator: Exposes samples.operator.openshift.io (different API group) (source)
• cluster-config-operator: Exposes only config.openshift.io (source)
• machine-api-operator: Exposes machine.openshift.io (source)

The Current Architectural Pattern

The consistent pattern across OpenShift is:

• ✅ config.openshift.io → Exposed to cluster-reader (user-facing, high-level configuration)
• ✅ Custom operator API groups (e.g., samples.operator.openshift.io, machineconfiguration.openshift.io) → Exposed when appropriate
• ❌ operator.openshift.io → NOT exposed to cluster-reader (implementation details, cluster-admin only)

Security Considerations

On the security side, looking at the operator.openshift.io/Network CRD data that would become readable does not seem harmful:

• ✅ No credential/secret fields in the API definition
• ✅ Mostly configuration data (CIDRs, MTU, ports, feature flags)
• ⚠️ RawCNIConfig is freeform JSON (could be misused, but user error not design flaw AFAIU)
• ⚠️ Infrastructure topology info (collectors, syslog destinations)

Still, that doesn't mean it won't include something that shouldn't be readable by a cluster-reader in the future, especially if the architectural assumption is that this is an internal, non-customer-visible CRD.

How troubleshoot has been made possible so far?

Mostly making use of must-gather

• must-gather with cluster-admin privileges (already attempts to collect networks.operator.openshift.io)
• Offline analysis of must-gather output

Questions

As someone new to the team, I want to make sure I understand the tradeoffs here:

1. Breaking the pattern: Is the debugging benefit sufficient to justify being the first and only operator.openshift.io resource exposed to cluster-reader across the platform?

2. Security review: Should we assess the risk of exposing implementation details like RawCNIConfig and in general braking the current pattern?

3. Alternatives: Could we instead:

   • Enhance config.openshift.io/Network.Status with additional troubleshooting fields?
   • Create a dedicated troubleshooting API?

I'm happy to pursue whichever direction the team thinks is best.

@pliurh please let me know your thoughts as you might have additional context on this.

[pliurh]

I don't think we shall break the pattern.