Enabling user permissions to clone data volumes across namespaces

The isolating nature of namespaces means that users cannot by default clone resources between namespaces.

To enable a user to clone a virtual machine to another namespace, a user with the cluster-admin role must create a new cluster role. Bind this cluster role to a user to enable them to clone virtual machines to the destination namespace.

Prerequisites

  • Only a user with the cluster-admin role can create cluster roles.

About data volumes

DataVolume objects are custom resources that are provided by the Containerized Data Importer (CDI) project. Data volumes orchestrate import, clone, and upload operations that are associated with an underlying persistent volume claim (PVC). You can create a data volume as either a standalone resource or by using the dataVolumeTemplate field in the virtual machine (VM) specification.

  • VM disk PVCs that are prepared by using standalone data volumes maintain an independent lifecycle from the VM. If you use the dataVolumeTemplate field in the VM specification to prepare the PVC, the PVC shares the same lifecycle as the VM.

After a PVC is populated, the data volume that you used to create the PVC is no longer needed. OKD Virtualization enables automatic garbage collection of completed data volumes by default. Standalone data volumes, and data volumes created by using the dataVolumeTemplate resource, are automatically garbage collected after completion.

Creating RBAC resources for cloning data volumes

Create a new cluster role that enables permissions for all actions for the datavolumes resource.

Procedure

  1. Create a ClusterRole manifest:

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4.   name: <datavolume-cloner> (1)
    5. rules:
    6. - apiGroups: ["cdi.kubevirt.io"]
    7.   resources: ["datavolumes/source"]
    8.   verbs: ["*"]
    1Unique name for the cluster role.

  2. Create the cluster role in the cluster:

    1. $ oc create -f <datavolume-cloner.yaml> (1)
    1The file name of the ClusterRole manifest created in the previous step.

  3. Create a RoleBinding manifest that applies to both the source and destination namespaces and references the cluster role created in the previous step.

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: RoleBinding
    3. metadata:
    4.   name: <allow-clone-to-user> (1)
    5.   namespace: <Source namespace> (2)
    6. subjects:
    7. - kind: ServiceAccount
    8.   name: default
    9.   namespace: <Destination namespace> (3)
    10. roleRef:
    11.   kind: ClusterRole
    12.   name: datavolume-cloner (4)
    13.   apiGroup: rbac.authorization.k8s.io
    1Unique name for the role binding.
    2The namespace for the source data volume.
    3The namespace to which the data volume is cloned.
    4The name of the cluster role created in the previous step.

  4. Create the role binding in the cluster:

    1. $ oc create -f <datavolume-cloner.yaml> (1)
    1The file name of the RoleBinding manifest created in the previous step.