From c777e868e547b91b4bd27aa4eab2680523a04452 Mon Sep 17 00:00:00 2001 From: Oren Cohen Date: Mon, 11 May 2026 09:47:23 +0300 Subject: [PATCH] fix(hypershift-kubevirt): grant networkpolicies RBAC to external infra SA The hypershift-operator now creates a virt-launcher NetworkPolicy on the external infrastructure cluster to enforce network isolation for KubeVirt guest VMs (openshift/hypershift#8056, OCPBUGS-78575). A new ValidKubeVirtInfraNetworkPolicyRBAC condition was added that requires the external infra service account to have networking.k8s.io/networkpolicies permissions and cluster-scoped read access to networks.config.openshift.io for CIDR-based egress rules. The CI step that provisions the restricted infra kubeconfig was not updated to include these permissions, so the e2e-hypershift-kubevirt job fails with forbidden errors when the operator attempts to manage the virt-launcher NetworkPolicy and read cluster network configuration. Add networking.k8s.io/networkpolicies with full verbs to the kv-external-infra-role, and create a ClusterRole+ClusterRoleBinding granting get access to networks.config.openshift.io so the operator can build CIDR-based egress restrictions for full tenant isolation. Signed-off-by: Oren Cohen Assisted-by: Claude --- ...eate-external-infra-kubeconfig-commands.sh | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh b/ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh index 7223a43317e54..e1448e5949d60 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh +++ b/ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh @@ -84,6 +84,12 @@ rules: - secrets verbs: - '*' + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' - apiGroups: - k8s.ovn.org resources: @@ -116,4 +122,34 @@ roleRef: name: kv-external-infra-role EOF +# ClusterRole to read cluster network config (needed for virt-launcher NetworkPolicy CIDR-based egress rules) +oc apply -f - <