Merge pull request #94416 from ousleyp/cnv-54829

CNV#54829: new default live migration permissions

Author: ousleyp

modules/virt-about-live-migration-permissions.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * virt/live_migration/virt-about-live-migration.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="virt-about-live-migration-permissions_{context}"]
+= About live migration permissions
+
+In {VirtProductName} 4.19 and later, live migration operations are restricted to users who are explicitly granted the `kubevirt.io:migrate` cluster role. Users with this role can create, delete, and update virtual machine (VM) live migration requests, which are represented by `VirtualMachineInstanceMigration` (VMIM) custom resources.
+
+Cluster administrators can bind the `kubevirt.io:migrate` role to trusted users or groups at either the namespace or cluster level.
+
+Before {VirtProductName} 4.19, namespace administrators had live migration permissions by default. This behavior changed in version 4.19 to prevent unintended or malicious disruptions to infrastructure-critical migration operations. 
+
+As a cluster administrator, you can preserve the old behavior by creating a temporary cluster role before updating. After assigning the new role to users, delete the temporary role to enforce the more restrictive permissions. If you have already updated, you can still revert to the old behavior by aggregating the `kubevirt.io:migrate` role into the `admin` cluster role.

modules/virt-canceling-vm-migration-cli.adoc

@@ -12,6 +12,7 @@ Cancel the live migration of a virtual machine by deleting the
 .Prerequisites
 
 * You have installed the {oc-first}.
+* You have the `kubevirt.io:migrate` RBAC role or you are a cluster administrator.
 
 .Procedure
 

modules/virt-canceling-vm-migration-web.adoc

@@ -8,6 +8,10 @@
 
 You can cancel the live migration of a virtual machine (VM) by using the {product-title} web console.
 
+.Prerequisites
+
+* You have the `kubevirt.io:migrate` RBAC role or you are a cluster administrator.
+
 .Procedure
 
 . Navigate to *Virtualization* -> *VirtualMachines* in the web console.

modules/virt-default-cluster-roles.adoc

@@ -6,7 +6,7 @@
 [id="default-cluster-roles-for-virt_{context}"]
 = Default cluster roles for {VirtProductName}
 
-By using cluster role aggregation, {VirtProductName} extends the default {product-title} cluster roles to include permissions for accessing virtualization objects.
+By using cluster role aggregation, {VirtProductName} extends the default {product-title} cluster roles to include permissions for accessing virtualization objects. Roles unique to {VirtProductName} are not aggregated with {product-title} roles.
 
 .{VirtProductName} cluster roles
 [cols="1,1,4",options="header"]
@@ -26,4 +26,8 @@ By using cluster role aggregation, {VirtProductName} extends the default {produc
 .^| `admin`
 .^|`kubevirt.io:admin`
 | A user that has full permissions to all {VirtProductName} resources, including the ability to delete collections of resources. The user can also view and modify the {VirtProductName} runtime configuration, which is located in the `HyperConverged` custom resource in the `openshift-cnv` namespace.
+
+.^| `N/A`
+.^|`kubevirt.io:migrate`
+| A user that can create, delete, and update VM live migration requests, which are represented by namespaced `VirtualMachineInstanceMigration` (VMIM) objects. This role is specific to {VirtProductName}.
 |===

modules/virt-granting-live-migration-permissions.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * virt/live_migration/virt-about-live-migration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-granting-live-migration-permissions_{context}"]
+= Granting live migration permissions
+
+Grant trusted users or groups the ability to create, delete, and update live migration instances.
+
+.Prerequisites
+
+* The {product-title} CLI (`oc`) is installed.
+* You have cluster administrator permissions.
+
+.Procedure
+
+* (Optional) To change the default behavior so that namespace administrators always have permission to create, delete, and update live migrations, aggregate the `kubevirt.io:migrate` role into the `admin` cluster role by running the following command:
++
+[source,terminal]
+----
+$ oc label --overwrite clusterrole kubevirt.io:migrate rbac.authorization.k8s.io/aggregate-to-admin=true
+----
+
+* Bind the `kubevirt.io:migrate` cluster role to trusted users or groups by running one of the following commands, replacing `<namespace>`, `<first_user>`, `<second_user>`, and `<group_name>` with your own values.
+** To bind the role at the namespace level, run the following command:
++
+[source,terminal]
+----
+$ oc create -n <namespace> rolebinding kvmigrate --clusterrole=kubevirt.io:migrate --user=<first_user> --user=<second_user> --group=<group_name>
+----
+** To bind the role at the cluster level, run the following command:
++
+[source,terminal]
+----
+$ oc create clusterrolebinding kvmigrate --clusterrole=kubevirt.io:migrate --user=<first_user> --user=<second_user> --group=<group_name>
+----

modules/virt-initiating-vm-migration-cli.adoc

@@ -11,6 +11,7 @@ You can initiate the live migration of a running virtual machine (VM) by using t
 .Prerequisites
 
 * You have installed the {oc-first}.
+* You have the `kubevirt.io:migrate` RBAC role or you are a cluster administrator.
 
 .Procedure
 

modules/virt-initiating-vm-migration-web.adoc

@@ -15,8 +15,9 @@ The *Migrate* action is visible to all users but only cluster administrators can
 
 .Prerequisites
 
-* The VM must be migratable.
-* If the VM is configured with a host model CPU, the cluster must have an available node that supports the CPU model.
+* You have the `kubevirt.io:migrate` RBAC role or you are a cluster administrator.
+* The VM is migratable.
+* If the VM is configured with a host model CPU, the cluster has an available node that supports the CPU model.
 
 .Procedure
 

modules/virt-preserving-lm-perms.adoc

@@ -0,0 +1,81 @@
+// Module included in the following assemblies:
+//
+// * virt/live_migration/virt-about-live-migration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-preserving-lm-perms_{context}"]
+= Preserving pre-4.19 live migration permissions during update
+
+Before you update to {VirtProductName} {VirtVersion}, you can create a temporary cluster role to preserve the previous live migration permissions until you are ready for the more restrictive default permissions to take effect.
+
+.Prerequisites
+
+* The {product-title} CLI (`oc`) is installed.
+* You have cluster administrator permissions.
+
+.Procedure
+
+. Before updating to {VirtProductName} {VirtVersion}, create a temporary `ClusterRole` object. For example:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin=true #<1>
+  name: kubevirt.io:upgrademigrate
+rules:
+- apiGroups:
+  - subresources.kubevirt.io
+  resources:
+  - virtualmachines/migrate
+  verbs:
+  - update
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - virtualmachineinstancemigrations
+  verbs:
+  - get
+  - delete
+  - create
+  - update
+  - patch
+  - list
+  - watch
+  - deletecollection
+----
+<1> This cluster role is aggregated into the `admin` role before you update {VirtProductName}. The update process does not modify it, ensuring the previous behavior is maintained.
+
+. Add the cluster role manifest to the cluster by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <cluster_role_file_name>.yaml
+----
+
+. Update {VirtProductName} to version {VirtVersion}.
+
+. Bind the `kubevirt.io:migrate` cluster role to trusted users or groups by running one of the following commands, replacing `<namespace>`, `<first_user>`, `<second_user>`, and `<group_name>` with your own values.
+** To bind the role at the namespace level, run the following command:
++
+[source,terminal]
+----
+$ oc create -n <namespace> rolebinding kvmigrate --clusterrole=kubevirt.io:migrate --user=<first_user> --user=<second_user> --group=<group_name>
+----
+** To bind the role at the cluster level, run the following command:
++
+[source,terminal]
+----
+$ oc create clusterrolebinding kvmigrate --clusterrole=kubevirt.io:migrate --user=<first_user> --user=<second_user> --group=<group_name>
+----
+
+. When you have bound the `kubevirt.io:migrate` role to all necessary users, delete the temporary `ClusterRole` object by running the following command:
++
+[source,terminal]
+----
+$ oc delete clusterrole kubevirt.io:upgrademigrate
+----
++
+After you delete the temporary cluster role, only users with the `kubevirt.io:migrate` role can create, delete, and update live migration requests.

virt/live_migration/virt-about-live-migration.adoc

@@ -32,6 +32,13 @@ The default number of migrations that can run in parallel in the cluster is 5.
 * If a VM uses a host model CPU, the nodes must support the CPU.
 * xref:../../virt/vm_networking/virt-dedicated-network-live-migration.adoc#virt-dedicated-network-live-migration[Configuring a dedicated Multus network] for live migration is highly recommended. A dedicated network minimizes the effects of network saturation on tenant workloads during migration.
 
+include::modules/virt-about-live-migration-permissions.adoc[leveloffset=+1]
+
+//TODO: Remove transition-to-lm-role module in 4.21; relevant in 4.20 due to EUS
+include::modules/virt-preserving-lm-perms.adoc[leveloffset=+1]
+
+include::modules/virt-granting-live-migration-permissions.adoc[leveloffset=+1]
+
 include::modules/virt-vm-migration-tuning.adoc[leveloffset=+1]
 
 [id="common-live-migration-tasks_virt-about-live-migration"]
@@ -48,6 +55,7 @@ You can perform the following live migration tasks:
 
 [id="additional-resources_virt-about-live-migration"]
 == Additional resources
+* xref:../../virt/about_virt/virt-security-policies.adoc#default-cluster-roles-for-virt_virt-security-policies[Default cluster roles for {VirtProductName}]
 * xref:../../virt/monitoring/virt-prometheus-queries.adoc#virt-live-migration-metrics_virt-prometheus-queries[Prometheus queries for live migration]
 * xref:../../virt/nodes/virt-node-maintenance.adoc#run-strategies[VM run strategies]
 * xref:../../virt/nodes/virt-node-maintenance.adoc#eviction-strategies[VM and cluster eviction strategies]

virt/live_migration/virt-initiating-live-migration.adoc

@@ -27,4 +27,10 @@ include::modules/virt-initiating-vm-migration-cli.adoc[leveloffset=+2]
 
 include::modules/virt-canceling-vm-migration-web.adoc[leveloffset=+2]
 
-include::modules/virt-canceling-vm-migration-cli.adoc[leveloffset=+2]
+include::modules/virt-canceling-vm-migration-cli.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* xref:../../virt/live_migration/virt-about-live-migration.adoc#virt-about-live-migration-permissions_virt-about-live-migration[About live migration permissions]