Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,12 @@ rules:
- secrets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- '*'
- apiGroups:
- k8s.ovn.org
resources:
Expand Down Expand Up @@ -116,4 +122,34 @@ roleRef:
name: kv-external-infra-role
EOF

# ClusterRole to read cluster network config (needed for virt-launcher NetworkPolicy CIDR-based egress rules)
oc apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kv-external-infra-network-reader
rules:
- apiGroups:
- config.openshift.io
resources:
- networks
verbs:
- get
EOF

oc apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kv-external-infra-network-reader-binding
subjects:
- kind: ServiceAccount
name: ${SA_NAME}
namespace: ${EXTERNAL_INFRA_NS}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kv-external-infra-network-reader
Comment on lines +140 to +152

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find where this step is referenced and whether EXTERNAL_INFRA_NS is overridden.
rg -n -C3 'hypershift-kubevirt-install-create-external-infra-kubeconfig|EXTERNAL_INFRA_NS' ci-operator

# Confirm the binding name is currently fixed.
rg -n -C2 'kv-external-infra-network-reader-binding' ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh

Repository: openshift/release

Length of output: 16988


🏁 Script executed:

# Check if there are any other chains or workflows that might use this step with different EXTERNAL_INFRA_NS
rg -n "hypershift-kubevirt-install-create-external-infra-kubeconfig" ci-operator --type yaml

# Look for any test configurations or multi-run scenarios
fd -e yaml -e yml ci-operator | xargs grep -l "EXTERNAL_INFRA_NS" | head -20

Repository: openshift/release

Length of output: 715


🏁 Script executed:

# Find all jobs/tests that reference the chain containing this step
rg -n "hypershift-kubevirt-run-e2e-external" ci-operator --type yaml -A 5 -B 5

# Check if EXTERNAL_INFRA_NS is ever overridden in any job configs
rg -n "EXTERNAL_INFRA_NS" ci-operator --type yaml | grep -v "default:" | head -30

Repository: openshift/release

Length of output: 9375


🏁 Script executed:

# Search for any job configs that might override EXTERNAL_INFRA_NS
fd -e yaml ci-operator/config | xargs grep -l "EXTERNAL_INFRA_NS" 2>/dev/null | head -20

# If found, show the context
fd -e yaml ci-operator/config | xargs grep -B5 -A5 "EXTERNAL_INFRA_NS" 2>/dev/null | head -50

Repository: openshift/release

Length of output: 817


🏁 Script executed:

# Search in the correct directory
find ci-operator/config -name "*.yaml" -exec grep -l "EXTERNAL_INFRA_NS" {} \; 2>/dev/null | head -20

# Show the context
find ci-operator/config -name "*.yaml" -exec grep -B3 -A3 "EXTERNAL_INFRA_NS" {} + 2>/dev/null | head -80

Repository: openshift/release

Length of output: 43


🏁 Script executed:

# Check if there are any comments or documentation about reusing the same infra cluster
rg -i "shared.*infra|reuse.*infra|multi.*run" ci-operator/step-registry/hypershift/kubevirt --type yaml --type sh -B2 -A2

# Look at the actual script to understand the scope better
cat ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh

Repository: openshift/release

Length of output: 3751


Include EXTERNAL_INFRA_NS in the ClusterRoleBinding name to prevent cross-run clobbering.

The ClusterRoleBinding kv-external-infra-network-reader-binding is cluster-scoped with a fixed name. When this step runs multiple times against the same infra cluster with different EXTERNAL_INFRA_NS values, the second run overwrites the first run's binding, breaking its permissions.

Proposed change
+CRB_NAME="kv-external-infra-network-reader-binding-${EXTERNAL_INFRA_NS}"

 oc apply -f - <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kv-external-infra-network-reader-binding
+  name: ${CRB_NAME}
 subjects:
   - kind: ServiceAccount
     name: ${SA_NAME}
     namespace: ${EXTERNAL_INFRA_NS}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kv-external-infra-network-reader
 EOF
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/hypershift/kubevirt/install/create-external-infra-kubeconfig/hypershift-kubevirt-install-create-external-infra-kubeconfig-commands.sh`
around lines 140 - 152, The ClusterRoleBinding uses a fixed cluster-scoped name
(kv-external-infra-network-reader-binding) which causes different runs with
different EXTERNAL_INFRA_NS to clobber each other; update the ClusterRoleBinding
metadata.name to include the EXTERNAL_INFRA_NS (for example append or
interpolate ${EXTERNAL_INFRA_NS}) so the binding becomes unique per external
infra namespace, and ensure any references to that binding name (if any
elsewhere in the script) are updated accordingly; keep the subjects
(ServiceAccount name ${SA_NAME} and namespace ${EXTERNAL_INFRA_NS}) and roleRef
unchanged.

EOF