deckhouse · nevermarine · Sep 30, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025
@@ -12,21 +12,12 @@ linters-settings:
         - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.cloneStrategyOverride"
         - "spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.contentType"
   rbac:
+    # We exclude RBAC rules for CDI and Kubevirt resources because they are used by upstream deployments.
+    # Changing these rules will require patching upstream code.
     exclude-rules:
-      wildcards:
-        - kind: ClusterRole
-          name: d8:virtualization:virtualization-api
-        - kind: ClusterRole
-          name: d8:virtualization:virtualization-controller
-        - kind: ClusterRole
-          name: d8:virtualization:kubevirt-operator
-        - kind: ClusterRole
-          name: d8:containerized-data-importer:cdi-operator
       placement:
         - kind: ClusterRoleBinding
           name: d8:containerized-data-importer:cdi-operator
-        - kind: ServiceAccount
-          name: virtualization-pre-delete-hook
         - kind: ServiceAccount
           name: cdi-operator
         - kind: Role

@@ -39,13 +39,30 @@ rules:
     - create
     - update
     - delete
+# every resource in cdi.internal.virtualization.deckhouse.io
 - apiGroups:
     - cdi.internal.virtualization.deckhouse.io
-    - upload.cdi.kubevirt.io
   resources:
-    - '*'
+    - internalvirtualizationcdiconfigs
+    - internalvirtualizationcdis
+    - internalvirtualizationdataimportcrons
+    - internalvirtualizationdatasources
+    - internalvirtualizationdatavolumes
+    - internalvirtualizationobjecttransfers
+    - internalvirtualizationstorageprofiles
+    - internalvirtualizationvolumeclonesources
+    - internalvirtualizationvolumeimportsources
+    - internalvirtualizationvolumeuploadsources
+    - internalvirtualizationopenstackvolumepopulators
+    - internalvirtualizationovirtvolumepopulators
   verbs:
-    - '*'
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
 - apiGroups:
     - admissionregistration.k8s.io
   resources:
@@ -143,57 +160,6 @@ rules:
     - get
     - list
     - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdatavolumes
-  verbs:
-    - list
-    - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdatasources
-  verbs:
-    - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationvolumeclonesources
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationstorageprofiles
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdis
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdiconfigs
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationcdis/finalizers
-  verbs:
-    - update
 - apiGroups:
     - ""
   resources:
@@ -272,12 +238,6 @@ rules:
     - clusterversions
   verbs:
     - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - '*'
-  verbs:
-    - '*'
 - apiGroups:
     - storage.deckhouse.io
   resources:
@@ -357,14 +317,6 @@ rules:
     - persistentvolumeclaims
   verbs:
     - get
-- apiGroups:
-    - cdi.internal.virtualization.deckhouse.io
-  resources:
-    - internalvirtualizationdataimportcrons
-  verbs:
-    - get
-    - list
-    - update
 - apiGroups:
     - ""
   resources:

@@ -376,15 +376,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - cdi.internal.virtualization.deckhouse.io
-  resources:
-  - internalvirtualizationdatasources
-  - internalvirtualizationdatavolumes
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - instancetype.internal.virtualization.deckhouse.io
   resources:
@@ -554,15 +545,29 @@ rules:
 - apiGroups:
   - snapshot.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationvirtualmachinerestores
+  - internalvirtualizationvirtualmachinesnapshotcontents
+  - internalvirtualizationvirtualmachinesnapshots
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - export.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationvirtualmachineexports
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - pool.internal.virtualization.deckhouse.io
   resources:
@@ -581,9 +586,43 @@ rules:
 - apiGroups:
   - internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationcdiconfigs
+  - internalvirtualizationcdis
+  - internalvirtualizationdataimportcrons
+  - internalvirtualizationdatasources
+  - internalvirtualizationdatavolumes
+  - internalvirtualizationobjecttransfers
+  - internalvirtualizationstorageprofiles
+  - internalvirtualizationvolumeclonesources
+  - internalvirtualizationvolumeimportsources
+  - internalvirtualizationvolumeuploadsources
+  - internalvirtualizationvirtualmachineclones
+  - internalvirtualizationvirtualmachineexports
+  - internalvirtualizationopenstackvolumepopulators
+  - internalvirtualizationovirtvolumepopulators
+  - internalvirtualizationvirtualmachineclusterinstancetypes
+  - internalvirtualizationvirtualmachineclusterpreferences
+  - internalvirtualizationvirtualmachineinstancetypes
+  - internalvirtualizationvirtualmachinepreferences
+  - internalvirtualizationkubevirts
+  - internalvirtualizationvirtualmachineinstancemigrations
+  - internalvirtualizationvirtualmachineinstancepresets
+  - internalvirtualizationvirtualmachineinstancereplicasets
+  - internalvirtualizationvirtualmachineinstances
+  - internalvirtualizationvirtualmachines
+  - internalvirtualizationmigrationpolicies
+  - internalvirtualizationvirtualmachinepools
+  - internalvirtualizationvirtualmachinerestores
+  - internalvirtualizationvirtualmachinesnapshotcontents
+  - internalvirtualizationvirtualmachinesnapshots
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - subresources.virtualization.deckhouse.io
   resources:
@@ -604,9 +643,26 @@ rules:
 - apiGroups:
   - cdi.internal.virtualization.deckhouse.io
   resources:
-  - '*'
+  - internalvirtualizationcdiconfigs
+  - internalvirtualizationcdis
+  - internalvirtualizationdataimportcrons
+  - internalvirtualizationdatasources
+  - internalvirtualizationdatavolumes
+  - internalvirtualizationobjecttransfers
+  - internalvirtualizationstorageprofiles
+  - internalvirtualizationvolumeclonesources
+  - internalvirtualizationvolumeimportsources
+  - internalvirtualizationvolumeuploadsources
+  - internalvirtualizationopenstackvolumepopulators
+  - internalvirtualizationovirtvolumepopulators
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - delete
+  - create
+  - update
+  - patch
 - apiGroups:
   - k8s.cni.cncf.io
   resources:

@@ -2,7 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: virtualization-pre-delete-hook
-  namespace: d8-{{ .Chart.Name }}
+  namespace: d8-system
   {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-pre-delete-hook")) | nindent 2 }}
   annotations:
     "helm.sh/hook": pre-delete

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: virtualization-pre-delete-hook
-  namespace: d8-{{ .Chart.Name }}
+  namespace: d8-system
   {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-pre-delete-hook")) | nindent 2 }}
 imagePullSecrets:
 - name: virtualization-module-registry
@@ -41,4 +41,4 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: virtualization-pre-delete-hook
-    namespace: d8-{{ .Chart.Name }}
+    namespace: d8-system
@@ -16,15 +16,87 @@ metadata:
   {{- include "helm_lib_module_labels" (list . (dict "app" "virtualization-api")) | nindent 2 }}
 rules:
 - apiGroups:
-    - '*'
+  - ""
   resources:
-    - '*'
+  - persistentvolumeclaims
+  - serviceaccounts
+  - configmaps
   verbs:
-    - '*'
-- nonResourceURLs:
-    - '*'
+  - get
+  - watch
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - virtualization.deckhouse.io
+  resources:
+  - virtualmachines
+  verbs:
+  - get
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - virtualmachines
+  - virtualmachineinstances
+  verbs:
+  - get
+- apiGroups:
+  - subresources.kubevirt.io
+  resources:
+  - virtualmachineinstances/console
+  - virtualmachineinstances/vnc
+  - virtualmachineinstances/vnc/screenshot
+  - virtualmachineinstances/portforward
+  - virtualmachineinstances/guestosinfo
+  - virtualmachineinstances/filesystemlist
+  - virtualmachineinstances/userlist
+  - virtualmachineinstances/sev/fetchcertchain
+  - virtualmachineinstances/sev/querylaunchmeasurement
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - subresources.virtualization.deckhouse.io
+  resources:
+  - virtualmachines
+  - virtualmachines/addvolume
+  - virtualmachines/cancelevacuation
+  - virtualmachines/console
+  - virtualmachines/freeze
+  - virtualmachines/portforward
+  - virtualmachines/removevolume
+  - virtualmachines/unfreeze
+  - virtualmachines/vnc
   verbs:
-    - '*'
+  - get
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding