chore(ci): add rbac linting

Signed-off-by: Maksim Fedotov <[email protected]>

Author: nevermarine

.dmtlint.yaml

@@ -13,15 +13,6 @@ linters-settings:
         - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.contentType"
   rbac:
     exclude-rules:
-      wildcards:
-        - kind: ClusterRole
-          name: d8:virtualization:virtualization-api
-        - kind: ClusterRole
-          name: d8:virtualization:virtualization-controller
-        - kind: ClusterRole
-          name: d8:virtualization:kubevirt-operator
-        - kind: ClusterRole
-          name: d8:containerized-data-importer:cdi-operator
       placement:
         - kind: ClusterRoleBinding
           name: d8:containerized-data-importer:cdi-operator

templates/cdi/cdi-operator/rbac-for-us.yaml

@@ -39,13 +39,30 @@ rules:
     - create
     - update
     - delete
+# every resource in cdi.internal.virtualization.deckhouse.io
 - apiGroups:
     - cdi.internal.virtualization.deckhouse.io
-    - upload.cdi.kubevirt.io
   resources:
-    - '*'
+    - internalvirtualizationcdiconfigs
+    - internalvirtualizationcdis
+    - internalvirtualizationdataimportcrons
+    - internalvirtualizationdatasources
+    - internalvirtualizationdatavolumes
+    - internalvirtualizationobjecttransfers
+    - internalvirtualizationstorageprofiles
+    - internalvirtualizationvolumeclonesources
+    - internalvirtualizationvolumeimportsources
+    - internalvirtualizationvolumeuploadsources
+    - internalvirtualizationopenstackvolumepopulators
+    - internalvirtualizationovirtvolumepopulators
   verbs:
-    - '*'
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
 - apiGroups:
     - admissionregistration.k8s.io
   resources:
@@ -143,57 +160,6 @@ rules:
     - get
     - list
     - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdatavolumes
-  verbs:
-    - list
-    - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdatasources
-  verbs:
-    - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationvolumeclonesources
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationstorageprofiles
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdis
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdiconfigs
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdis/finalizers
-  verbs:
-    - update
 - apiGroups:
     - ""
   resources:
@@ -272,12 +238,6 @@ rules:
     - clusterversions
   verbs:
     - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - '*'
-  verbs:
-    - '*'
 - apiGroups:
     - storage.deckhouse.io
   resources:
@@ -357,14 +317,6 @@ rules:
     - persistentvolumeclaims
   verbs:
     - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdataimportcrons
-  verbs:
-    - get
-    - list
-    - update
 - apiGroups:
     - ""
   resources:

templates/kubevirt/virt-operator/rbac-for-us.yaml

@@ -376,15 +376,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - cdi.internal.virtualization.deckhouse.io
-  resources:
-  - internalvirtualizationdatasources
-  - internalvirtualizationdatavolumes
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - instancetype.internal.virtualization.deckhouse.io
   resources:
@@ -554,15 +545,29 @@ rules:
 - apiGroups:
   - snapshot.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationvirtualmachinerestores
+  - internalvirtualizationvirtualmachinesnapshotcontents
+  - internalvirtualizationvirtualmachinesnapshots
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - export.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationvirtualmachineexports
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - pool.internal.virtualization.deckhouse.io
   resources:
@@ -581,9 +586,43 @@ rules:
 - apiGroups:
   - internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationcdiconfigs
+  - internalvirtualizationcdis
+  - internalvirtualizationdataimportcrons
+  - internalvirtualizationdatasources
+  - internalvirtualizationdatavolumes
+  - internalvirtualizationobjecttransfers
+  - internalvirtualizationstorageprofiles
+  - internalvirtualizationvolumeclonesources
+  - internalvirtualizationvolumeimportsources
+  - internalvirtualizationvolumeuploadsources
+  - internalvirtualizationvirtualmachineclones
+  - internalvirtualizationvirtualmachineexports
+  - internalvirtualizationopenstackvolumepopulators
+  - internalvirtualizationovirtvolumepopulators
+  - internalvirtualizationvirtualmachineclusterinstancetypes
+  - internalvirtualizationvirtualmachineclusterpreferences
+  - internalvirtualizationvirtualmachineinstancetypes
+  - internalvirtualizationvirtualmachinepreferences
+  - internalvirtualizationkubevirts
+  - internalvirtualizationvirtualmachineinstancemigrations
+  - internalvirtualizationvirtualmachineinstancepresets
+  - internalvirtualizationvirtualmachineinstancereplicasets
+  - internalvirtualizationvirtualmachineinstances
+  - internalvirtualizationvirtualmachines
+  - internalvirtualizationmigrationpolicies
+  - internalvirtualizationvirtualmachinepools
+  - internalvirtualizationvirtualmachinerestores
+  - internalvirtualizationvirtualmachinesnapshotcontents
+  - internalvirtualizationvirtualmachinesnapshots
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - subresources.virtualization.deckhouse.io
   resources:
@@ -604,9 +643,26 @@ rules:
 - apiGroups:
   - cdi.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationcdiconfigs
+  - internalvirtualizationcdis
+  - internalvirtualizationdataimportcrons
+  - internalvirtualizationdatasources
+  - internalvirtualizationdatavolumes
+  - internalvirtualizationobjecttransfers
+  - internalvirtualizationstorageprofiles
+  - internalvirtualizationvolumeclonesources
+  - internalvirtualizationvolumeimportsources
+  - internalvirtualizationvolumeuploadsources
+  - internalvirtualizationopenstackvolumepopulators
+  - internalvirtualizationovirtvolumepopulators
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - k8s.cni.cncf.io
   resources:

templates/virtualization-controller/rbac-for-us.yaml

@@ -168,7 +168,29 @@ rules:
 - apiGroups:
   - subresources.kubevirt.io
   resources:
-  - '*'
+  - expand-vm-spec
+  - virtualmachineinstances/vnc
+  - virtualmachineinstances/console
+  - virtualmachineinstances/portforward
+  - virtualmachineinstances/pause
+  - virtualmachineinstances/unpause
+  - virtualmachineinstances/freeze
+  - virtualmachineinstances/unfreeze
+  - virtualmachineinstances/softreboot
+  - virtualmachines/start
+  - virtualmachines/stop
+  - virtualmachines/restart
+  - virtualmachines/migrate
+  - virtualmachines/expand-spec
+  - virtualmachineinstances/guestosinfo
+  - virtualmachineinstances/userlist
+  - virtualmachineinstances/filesystemlist
+  - virtualmachineinstances/addvolume
+  - virtualmachineinstances/removevolume
+  - virtualmachineinstances/sev/fetchcertchain
+  - virtualmachineinstances/sev/querylaunchmeasurement
+  - virtualmachineinstances/sev/setupsession
+  - virtualmachineinstances/sev/injectlaunchsecret
   verbs:
   - get
   - patch