This is a cache of https://docs.openshift.com/rosa/virt/storage/virt-enabling-user-permissions-to-clone-datavolumes.html. It is a snapshot of the page at 2024-11-25T03:30:29.596+0000.
Enabling user permissions to clone data volumes across namespaces - Storage | Virtualization | Red Hat OpenShift <strong>service</strong> on AWS
×

The isolating nature of namespaces means that users cannot by default clone resources between namespaces.

To enable a user to clone a virtual machine to another namespace, a user with the cluster-admin role must create a new cluster role. Bind this cluster role to a user to enable them to clone virtual machines to the destination namespace.

Creating RBAC resources for cloning data volumes

Create a new cluster role that enables permissions for all actions for the datavolumes resource.

Prerequisites
  • You must have cluster admin privileges.

Procedure
  1. Create a ClusterRole manifest:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: <datavolume-cloner> (1)
    rules:
    - apiGroups: ["cdi.kubevirt.io"]
      resources: ["datavolumes/source"]
      verbs: ["*"]
    1 Unique name for the cluster role.
  2. Create the cluster role in the cluster:

    $ oc create -f <datavolume-cloner.yaml> (1)
    1 The file name of the ClusterRole manifest created in the previous step.
  3. Create a RoleBinding manifest that applies to both the source and destination namespaces and references the cluster role created in the previous step.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: <allow-clone-to-user> (1)
      namespace: <Source namespace> (2)
    subjects:
    - kind: serviceAccount
      name: default
      namespace: <Destination namespace> (3)
    roleRef:
      kind: ClusterRole
      name: datavolume-cloner (4)
      apiGroup: rbac.authorization.k8s.io
    1 Unique name for the role binding.
    2 The namespace for the source data volume.
    3 The namespace to which the data volume is cloned.
    4 The name of the cluster role created in the previous step.
  4. Create the role binding in the cluster:

    $ oc create -f <datavolume-cloner.yaml> (1)
    1 The file name of the RoleBinding manifest created in the previous step.