forklift: add missing rbac

[bennyz]

What this PR does / why we need it:

Add missing RBAC for ovirt and openstack volume populator CRDs

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Add missing RBAC for ovirt and openstack volume populator CRDs

[kubevirt-bot]

Hi @bennyz. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign akalenyu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stesrn]

@bennyz hi. I remember having global perms was not recommended. Refer - https://issues.redhat.com/browse/CNV-22907 and https://issues.redhat.com/browse/CNV-32812

[bennyz]

I think I have to do this to because of how pkg/operator/resources/cluster/rbac.go is set

There is also:

		{
			APIGroups: []string{
				"cdi.kubevirt.io",
			},
			Resources: []string{
				"*",
			},
			Verbs: []string{
				"*",
			},
},

in L#169

But I'm open to suggestions

[akalenyu]

Would you mind unifying those two with a comment that explains the motivation?
Something along the lines of, "*" permissions are bad, but logically it's clear that CDI can do anything on CDI resources

[akalenyu]

/test all

I remember having global perms was not recommended

Yup, there should be a unit test for this
EDIT:
We have exceptions for some global permissions. For example, it would make sense that "CDI can do anything on CDI resources", maybe the same applies to these resources as well, have to check

[akalenyu]

I don't think you need this?

[awels]

/test all

[awels]

/retest

[kubevirt-bot]

@bennyz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cdi-goveralls	e0b0dc2	link	false	/test pull-cdi-goveralls
pull-cdi-unit-test	e0b0dc2	link	false	/test pull-cdi-unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aglitke]

@awels This PR seems stalled. Do we still want to have it merged?

[awels]

We do, but we need to address the * permissions. We have a unit test that disallows this. We should be explicit in the permissions we want to give otherwise security will complain. Alex already pointed this out.