Skip to content

Enabling user permissions to clone data volumes across namespaces

The isolating nature of namespaces means that users cannot by default clone resources between namespaces.

To enable a user to clone a virtual machine to another namespace, a user with the cluster-admin role must create a new cluster role. Bind this cluster role to a user to enable them to clone virtual machines to the destination namespace.

Creating RBAC resources for cloning data volumes

You can create a new cluster role that enables permissions for all actions for the datavolumes resource.

Prerequisites

  • You have installed the OpenShift CLI (oc).

  • You must have cluster admin privileges.

Note

If you are a non-admin user that is an administrator for both the source and target namespaces, you can create a Role instead of a ClusterRole where appropriate.

Procedure

  1. Create a ClusterRole manifest:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <datavolume-cloner> 
rules:
- apiGroups: ["cdi.kubevirt.io"]
  resources: ["datavolumes/source"]
  verbs: ["*"]
    1. Unique name for the cluster role.

  2. Create the cluster role in the cluster:

    $ oc create -f <datavolume-cloner.yaml>
    1. The file name of the ClusterRole manifest created in the previous step.

  3. Create a RoleBinding manifest that applies to both the source and destination namespaces and references the cluster role created in the previous step.

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: <allow-clone-to-user> 
  namespace: <Source namespace> 
subjects:
- kind: ServiceAccount
  name: default
  namespace: <Destination namespace> 
roleRef:
  kind: ClusterRole
  name: datavolume-cloner 
  apiGroup: rbac.authorization.k8s.io
    1. Unique name for the role binding.
    2. The namespace for the source data volume.
    3. The namespace to which the data volume is cloned.
    4. The name of the cluster role created in the previous step.

  4. Create the role binding in the cluster:

    $ oc create -f <datavolume-cloner.yaml>
    1. The file name of the RoleBinding manifest created in the previous step.