From 788526f8a19531460eab63737f8aa56e535d824d Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 14 Apr 2026 13:16:47 -0400 Subject: [PATCH 01/21] [CNV-63822] Test plan out-out of role aggregation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit STP ready for QE team review while waiting for upstream merge Co-authored-by: Ramón Lobillo Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out/stp.md | 202 ++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md new file mode 100644 index 0000000..3f9147e --- /dev/null +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md @@ -0,0 +1,202 @@ +# Openshift-virtualization-tests Test plan + +## **Role Aggregation Opt-Out - Quality Engineering Plan** + +### **Metadata & Tracking** + +| Field | Details | +|:-----------------------|:--------------------------------------------------------| +| **Enhancement(s)** | KubeVirt PR #16350 (pending merge) | +| **Feature in Jira** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | +| **Jira Tracking** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | +| **QE Owner(s)** | Ramon Lobillo (@rlobillo) | +| **Owning SIG** | sig-iuo (Install, Upgrade, Operators) | +| **Participating SIGs** | TBD | +| **Current Status** | Draft - Waiting for upstream merge | + +--- + +### **I. Motivation and Requirements Review (QE Review Guidelines)** + +#### **1. Requirement & User Story Review Checklist** + +| Check | Done | Details/Notes | Comments | +|:---------------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| +| **Review Requirements** | [x] | Admins can disable automatic kubevirt.io role aggregation via config | Per CNV-63822 epic acceptance criteria | +| **Understand Value** | [x] | Enables strict RBAC: users must explicitly get kubevirt.io permissions | Required for regulated/multi-tenant environments | +| **Customer Use Cases** | [x] | Regulated environments, multi-tenant clusters, security-hardened deployments | Aligns with enterprise RBAC requirements | +| **Testability** | [ ] | Blocked until KubeVirt PR #16350 merges; need to confirm field name and API | Cannot implement tests without actual implementation | +| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Clearly defined in CNV-63822 | +| **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | + +#### **2. Technology and Design Review** + +| Check | Done | Details/Notes | Comments | +|:---------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| +| **Developer Handoff/QE Kickoff** | [ ] | Pending KubeVirt PR #16350 merge; will schedule once API is confirmed | Need exact config field name and allowed values | +| **Technology Challenges** | [x] | RBAC testing requires unprivileged user (HTPasswd IdP already supported) | Using existing test infrastructure | +| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | +| **API Extensions** | [ ] | KubeVirt spec field TBD; likely under spec.configuration per PR #16350 | Cannot finalize until upstream merged | +| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | + +[Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) + + +### **II. Software Test Plan (STP)** + +#### **1. Scope of Testing** + +**In Scope:** +- Verify role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config +- Unprivileged users cannot access kubevirt resources without explicit RoleBinding (when disabled): +- Explicit RoleBindings (admin, edit, view) grant access correctly + - admin = Allows all operations on API group "kubevirt.io", including deletecollection. + - edit = Allows all operations on API group "kubevirt.io" excluding deletecollection operation. + - view = Accepts get list and watch verbs on API group "kubevirt.io", so cannot start/create/update/stop/delete VMs. +- Default behavior (role aggregation enabled) remains unchanged +- Configuration preserved across CNV z-stream upgrades +- Backward compatibility validation + +**Out of Scope:** +- Testing OpenShift RBAC infrastructure itself (OCP responsibility) +- Performance impact of RBAC enforcement +- ARM64/s390x architectures (RBAC is architecture-independent) +- External IdP testing beyond HTPasswd (feature is IdP-agnostic) + +#### **2. Testing Goals** + +- [ ] Validate functional test scenarios +- [ ] Automate functional test scenarios for CI integration +- [ ] Verify backward compatibility +- [ ] Verify configuration remains between upgrades + +#### **3. Non-Goals (Testing Scope Exclusions)** + +| Non-Goal | Rationale | PM/ Lead Agreement | +|:----------------------------------------------------------|:------------------------------------------------------------------------------|:-------------------| +| Full regression with opt-out enabled from fresh install | Deferred to post-GA manual testing if time-constrained | [ ] TBD | +| External IdP compatibility (LDAP, Active Directory) | RBAC is IdP-agnostic; HTPasswd testing validates core logic | [ ] TBD | +| Multi-tenant cluster scale testing (100+ users) | RBAC overhead negligible; functional correctness sufficient at smaller scale | [ ] TBD | +| Testing kubevirt.io:migrate role aggregation | kubevirt.io:migrate has no aggregate labels (not a Kubernetes base role); already requires explicit RoleBinding regardless of strategy | [ ] TBD | + +#### **4. Test Strategy** + +##### **A. Types of Testing** + +| Item (Testing Type) | Applicable (Y/N or N/A) | Comments | +|:-------------------------------|:------------------------|:---------| +| Functional Testing | Y | Core focus: verify RBAC opt-out behavior | +| Automation Testing | Y | All tests automated in openshift-virtualization-tests | +| Performance Testing | N/A | RBAC checks have negligible impact | +| Security Testing | Y | Feature IS a security enhancement; tested via functional scenarios | +| Usability Testing | N/A | Configuration via YAML, no UI component | +| Compatibility Testing | Y | Backward compatibility with default behavior | +| Regression Testing | Y | Ensure existing CNV functionality unaffected | +| Upgrade Testing | Y | Verify config preserved across z-stream upgrades | +| Backward Compatibility Testing | Y | Default state (opt-out disabled) unchanged | + +##### **B. Potential Areas to Consider** + +| Item | Description | Applicable (Y/N or N/A) | Comment | +|:-----------------------|:----------------------------------------------------------------------------|:------------------------|:--------| +| **Dependencies** | Depends on KubeVirt PR #16350 (upstream) and HCO integration (downstream) | Y | Blocker until upstream merged | +| **Monitoring** | Feature doesn't require metrics/alerts | N/A | RBAC enforcement is transparent | +| **Cross Integrations** | All kubevirt features requiring VM interaction affected by RBAC changes | Y | Verify cluster-admin retains all permissions | +| **UI** | Configuration via HCO/KubeVirt CR YAML only | N/A | No UI component | + +#### **5. Test Environment** + +| Environment Component | Configuration | Specification Examples | +|:----------------------------------------------|:-------------------------------|:-------------------------------------------------------------------| +| **Cluster Topology** | Standard or SNO | Feature works on all topologies; multi-node preferred | +| **OCP & OpenShift Virtualization Version(s)** | OCP 4.21+ with CNV 4.22 | Target version where feature introduced | +| **CPU Virtualization** | N/A | Not relevant for RBAC testing | +| **Compute Resources** | Standard cluster resources | Minimum per worker: 4 vCPUs, 16GB RAM | +| **Special Hardware** | N/A | No special hardware required | +| **Storage** | Any RWX storage class | ocs-storagecluster-ceph-rbd-virtualization | +| **Network** | Default (OVN-Kubernetes) | No special network requirements | +| **Required Operators** | OpenShift Virtualization | Standard CNV installation | +| **Platform** | Any supported platform | Prefer AWS or bare-metal for CI integration | +| **Special Configurations** | HTPasswd identity provider | REQUIRED: Must have HTPasswd IdP with unprivileged user | + +#### **5.5. Testing Tools & Frameworks** + +| Category | Tools/Frameworks | +|:-------------------|:-------------------------------------------------------| +| **Test Framework** | ginkgo for tier1 tests inside kubevirt repo | +| | pytest with openshift-virtualization-tests for tier2 tests | +| **CI/CD** | Standard Jenkins CI lanes, no special pipeline needed | +| **Other Tools** | Existing unprivileged_client fixture and RBAC utilities | + +#### **6. Entry Criteria** + +- [ ] KubeVirt PR #16350 **merged** (upstream blocking dependency) +- [ ] HCO downstream implementation **complete** (field integrated into HCO CR) +- [ ] Requirements and design documents approved +- [ ] Test environment configured with HTPasswd IdP +- [ ] Developer Handoff/QE Kickoff meeting completed + +#### **7. Risks and Limitations** + +| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | +|:---------------------|:--------------------------------------------------------|:--------------------------------------------------------|:-----------| +| Timeline/Schedule | KubeVirt PR #16350 not yet merged; blocks test implementation | Monitor PR status weekly; prepare test infrastructure in parallel | [x] Active | +| Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 4 roles); focus on acceptance criteria | [ ] | +| Test Environment | Requires HTPasswd IdP setup; not all CI lanes support it | Use existing infrastructure; verify CI environment available | [ ] | +| Dependencies | Blocking: PR #16350 merge. Soft: HCO downstream implementation | Track upstream progress; coordinate with HCO team | [x] Active | +| Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | + +#### **8. Known Limitations** + +- Feature implementation pending KubeVirt PR #16350 merge (no implementation to test yet) +- Testing scope limited to HTPasswd identity provider +- Upgrade testing from CNV <4.21 only tests "feature not available" → "feature available" scenario +- Cannot test production-scale multi-tenant environments (functional correctness sufficient at smaller scale) + +--- + +### **III. Test Scenarios & Traceability** + +| Requirement ID | Requirement Summary | Test Scenario(s) | Test Type(s) | Priority | +|:-------------------------|:-----------------------------------------------------|:------------------------------------------------------------------------|:-----------------|:---------| +| KubeVirt PR #16350 | `RoleAggregationStrategy config should keep aggregate labels when RoleAggregationStrategy is nil` || tier1 automation | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should keep aggregate labels when RoleAggregationStrategy is AggregateToDefault` || tier1 automation | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should create ClusterRole without aggregate labels when RoleAggregationStrategy is Manual` || tier1 auto | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should remove aggregate labels from existing ClusterRole when strategy changes to Manual` || tier1 auto | P0 | +| CNV-63822 (Acceptance 1) | Feature can be enabled via config | Set `spec.roleAggregation.enabled: False` in HCO CR; verify config persists | tier2 automation | P0 | +| CNV-63822 (Acceptance 2) | Unprivileged user blocked without RoleBinding (*Note 1) | Verify ForbiddenError when unprivileged user lacks binding | tier2 automation | P0 | +| CNV-63822 (Acceptance 3) | Explicit RoleBinding grants access (*Note 1) | Verify new user gains access after RoleBinding created | tier2 automation | P0 | +| CNV-63822 (Acceptance 4) | Feature can be disabled via config (*Note 1) | Verify new user gains access after feature disabling | tier2 automation | P0 | +| Default Behavior | Role aggregation enabled by default (Back. Comp.)| Verify default config enables automatic role aggregation | Regression | P0 | +| Y Upgrade Testing | Config preserved on Y upgrades (4.21.z → 4.22.0) | Test upgrade path preserves configuration and RBAC behavior | Regression | P0 | + +**Note 1:** Tests should create a ns with one global role assigned at a time and perform below actions to confirm functionality is correctly provided: + +| Global clusterRole | kubevirt.io clusterRole | what can do | what cannot do | +|:-------------------|:------------------------|:------------|:---------------| +| admin | kubevirt.io:admin | deletecollections| nothing | +| edit | kubevirt.io:edit | start/stop VM | deletecollections| +| view | kubevirt.io:view | get VM | start/stop VM| + +**Note 2:** tier2 automation tests can be inspired on *migrate* clusterRole tests: [test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) + +--- + +### **IV. Sign-off and Approval** + +This Software Test Plan requires approval from the following stakeholders: + +* **Reviewers:** + - [QE Lead / @rnester] + - [sig-iuo representative / @orenc1 @hmeir @OhadRevah albarker-rh] + +* **Approvers:** + - [QE Manager / @kmajcher-rh @fabiand] + - [Product Manager / TBD] + +**Review Status:** +- [X] Draft complete +- [ ] QE team reviewed +- [ ] Dev/Arch reviewed (pending KubeVirt PR #16350 merge) +- [ ] PM approved +- [ ] Ready for implementation From 21181f6a7c9df7e72133f26532bbc3061c5a036a Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 14 Apr 2026 13:16:52 -0400 Subject: [PATCH 02/21] Address comments and aligning to the newer version of the STP template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ramón Lobillo Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out/stp.md | 161 ++++++++---------- 1 file changed, 69 insertions(+), 92 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md index 3f9147e..5c708ca 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md @@ -6,12 +6,13 @@ | Field | Details | |:-----------------------|:--------------------------------------------------------| -| **Enhancement(s)** | KubeVirt PR #16350 (pending merge) | -| **Feature in Jira** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | +| **Enhancement(s)** | [Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) | +| |KubeVirt PR #16350 (pending merge) | +| **Feature in Jira** | [CNV-50792](https://issues.redhat.com/browse/CNV-50792) | | **Jira Tracking** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | -| **QE Owner(s)** | Ramon Lobillo (@rlobillo) | +| **QE Owner(s)** | Ramon Lobillo (@rlobillo), Alex Barker (@albarker-rh) | | **Owning SIG** | sig-iuo (Install, Upgrade, Operators) | -| **Participating SIGs** | TBD | +| **Participating SIGs** | sig-ui | | **Current Status** | Draft - Waiting for upstream merge | --- @@ -22,11 +23,12 @@ | Check | Done | Details/Notes | Comments | |:---------------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| -| **Review Requirements** | [x] | Admins can disable automatic kubevirt.io role aggregation via config | Per CNV-63822 epic acceptance criteria | -| **Understand Value** | [x] | Enables strict RBAC: users must explicitly get kubevirt.io permissions | Required for regulated/multi-tenant environments | -| **Customer Use Cases** | [x] | Regulated environments, multi-tenant clusters, security-hardened deployments | Aligns with enterprise RBAC requirements | +| **Review Requirements** | [x] | As a cluster-admin I want to decide which users will have access to the virtualization in the cluster. Not all project-admins should have this access but only the eligible ones | Per CNV-50792 feature request | +| **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | +| **Customer Use Cases** | [x] | * multi-tenant clusters|different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| +| | | * Resources usage control|cluster admin wants to get a request to allow a specific user to create VMs and Storage| | **Testability** | [ ] | Blocked until KubeVirt PR #16350 merges; need to confirm field name and API | Cannot implement tests without actual implementation | -| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Clearly defined in CNV-63822 | +| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Defined in CNV-63822 epic | | **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | #### **2. Technology and Design Review** @@ -34,118 +36,99 @@ | Check | Done | Details/Notes | Comments | |:---------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| | **Developer Handoff/QE Kickoff** | [ ] | Pending KubeVirt PR #16350 merge; will schedule once API is confirmed | Need exact config field name and allowed values | -| **Technology Challenges** | [x] | RBAC testing requires unprivileged user (HTPasswd IdP already supported) | Using existing test infrastructure | +| **Technology Challenges** | [x] | N/A || | **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | | **API Extensions** | [ ] | KubeVirt spec field TBD; likely under spec.configuration per PR #16350 | Cannot finalize until upstream merged | | **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | -[Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) ### **II. Software Test Plan (STP)** #### **1. Scope of Testing** -**In Scope:** -- Verify role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config -- Unprivileged users cannot access kubevirt resources without explicit RoleBinding (when disabled): -- Explicit RoleBindings (admin, edit, view) grant access correctly - - admin = Allows all operations on API group "kubevirt.io", including deletecollection. - - edit = Allows all operations on API group "kubevirt.io" excluding deletecollection operation. - - view = Accepts get list and watch verbs on API group "kubevirt.io", so cannot start/create/update/stop/delete VMs. -- Default behavior (role aggregation enabled) remains unchanged -- Configuration preserved across CNV z-stream upgrades -- Backward compatibility validation +**Testing Goals** +- [P0] Verify opt-out role aggregation can be enabled via hyperconvergeds.hco.kubevirt.io config +- [P0] Unprivileged users cannot access kubevirt resources without explicit RoleBinding when feature is enabled +- [P0] Unprivileged users cannot access Virtualization view in UI without explicit RoleBinding when feature is enabled +- [P0] Explicit RoleBindings (admin, edit, view) grant access correctly +- [P0] Verify opt-out role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config -**Out of Scope:** -- Testing OpenShift RBAC infrastructure itself (OCP responsibility) -- Performance impact of RBAC enforcement -- ARM64/s390x architectures (RBAC is architecture-independent) -- External IdP testing beyond HTPasswd (feature is IdP-agnostic) - -#### **2. Testing Goals** +**Backward compatibility Goals** -- [ ] Validate functional test scenarios -- [ ] Automate functional test scenarios for CI integration -- [ ] Verify backward compatibility -- [ ] Verify configuration remains between upgrades +- [P0] Default behavior (role aggregation enabled) remains unchanged +- [P0] Default behaviour is preserved across CNV z-stream upgrades -#### **3. Non-Goals (Testing Scope Exclusions)** +**Out of Scope:** -| Non-Goal | Rationale | PM/ Lead Agreement | +| Out-of-Scope Item | Rationale | PM/ Lead Agreement | |:----------------------------------------------------------|:------------------------------------------------------------------------------|:-------------------| -| Full regression with opt-out enabled from fresh install | Deferred to post-GA manual testing if time-constrained | [ ] TBD | +| Testing OpenShift RBAC infrastructure itself | OCP responsibility | [ ] TBD | +| Testing all rules within kubevirt.io roles | kubevirt.io:{admin,edit,view} clusterroles contains rules that are not affected by this feature | [ ] TBD | | External IdP compatibility (LDAP, Active Directory) | RBAC is IdP-agnostic; HTPasswd testing validates core logic | [ ] TBD | | Multi-tenant cluster scale testing (100+ users) | RBAC overhead negligible; functional correctness sufficient at smaller scale | [ ] TBD | -| Testing kubevirt.io:migrate role aggregation | kubevirt.io:migrate has no aggregate labels (not a Kubernetes base role); already requires explicit RoleBinding regardless of strategy | [ ] TBD | +| Testing kubevirt.io:migrate role aggregation | Already covered on tier2 regression testing: [test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) | [ ] TBD | -#### **4. Test Strategy** -##### **A. Types of Testing** +#### **2. Test Strategy** -| Item (Testing Type) | Applicable (Y/N or N/A) | Comments | -|:-------------------------------|:------------------------|:---------| -| Functional Testing | Y | Core focus: verify RBAC opt-out behavior | -| Automation Testing | Y | All tests automated in openshift-virtualization-tests | -| Performance Testing | N/A | RBAC checks have negligible impact | -| Security Testing | Y | Feature IS a security enhancement; tested via functional scenarios | -| Usability Testing | N/A | Configuration via YAML, no UI component | -| Compatibility Testing | Y | Backward compatibility with default behavior | -| Regression Testing | Y | Ensure existing CNV functionality unaffected | -| Upgrade Testing | Y | Verify config preserved across z-stream upgrades | -| Backward Compatibility Testing | Y | Default state (opt-out disabled) unchanged | +| Item | Description | Applicable (Y/N or N/A) | Comments | +|:-------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------| +| Functional Testing | Validates that the feature works according to specified requirements and user stories | Y | Core focus: verify RBAC opt-out behaviour | +| Automation Testing | Ensures test cases are automated for continuous integration and regression coverage | Y | | +| Performance Testing | Validates feature performance meets requirements (latency, throughput, resource usage) | N/A | | +| Security Testing | Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning | Y | Feature is a security enhancement | +| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements. Does the feature require UI? If so, ensure the UI aligns with the requirements | Y | unprivileged user should not see Virtualization view on UI with feature Enabled | +| Compatibility Testing | Ensures feature works across supported platforms, versions, and configurations | Y | default behaviour will not change | +| Regression Testing | Verifies that new changes do not break existing functionality | Y | | +| Upgrade Testing | Validates upgrade paths from previous versions, data migration, and configuration preservation | Y | | +| Backward Compatibility Testing | Ensures feature maintains compatibility with previous API versions and configurations | Y | | +| Dependencies | Dependent on deliverables from other components/products? Identify what is tested by which team. | N | | +| Cross Integrations | Does the feature affect other features/require testing by other components? Identify what is tested by which team. | Y | UI | +| Monitoring | Does the feature require metrics and/or alerts? | N | | +| Cloud Testing | Does the feature require multi-cloud platform testing? Consider cloud-specific features. | N | | -##### **B. Potential Areas to Consider** -| Item | Description | Applicable (Y/N or N/A) | Comment | -|:-----------------------|:----------------------------------------------------------------------------|:------------------------|:--------| -| **Dependencies** | Depends on KubeVirt PR #16350 (upstream) and HCO integration (downstream) | Y | Blocker until upstream merged | -| **Monitoring** | Feature doesn't require metrics/alerts | N/A | RBAC enforcement is transparent | -| **Cross Integrations** | All kubevirt features requiring VM interaction affected by RBAC changes | Y | Verify cluster-admin retains all permissions | -| **UI** | Configuration via HCO/KubeVirt CR YAML only | N/A | No UI component | - -#### **5. Test Environment** +#### **3. Test Environment** | Environment Component | Configuration | Specification Examples | |:----------------------------------------------|:-------------------------------|:-------------------------------------------------------------------| | **Cluster Topology** | Standard or SNO | Feature works on all topologies; multi-node preferred | -| **OCP & OpenShift Virtualization Version(s)** | OCP 4.21+ with CNV 4.22 | Target version where feature introduced | +| **OCP & OpenShift Virtualization Version(s)** | OCP 4.22 with CNV 4.22 | Target version where feature introduced | | **CPU Virtualization** | N/A | Not relevant for RBAC testing | | **Compute Resources** | Standard cluster resources | Minimum per worker: 4 vCPUs, 16GB RAM | | **Special Hardware** | N/A | No special hardware required | | **Storage** | Any RWX storage class | ocs-storagecluster-ceph-rbd-virtualization | | **Network** | Default (OVN-Kubernetes) | No special network requirements | | **Required Operators** | OpenShift Virtualization | Standard CNV installation | -| **Platform** | Any supported platform | Prefer AWS or bare-metal for CI integration | +| **Platform** | Any supported platform | | | **Special Configurations** | HTPasswd identity provider | REQUIRED: Must have HTPasswd IdP with unprivileged user | -#### **5.5. Testing Tools & Frameworks** +#### **3.1. Testing Tools & Frameworks** -| Category | Tools/Frameworks | -|:-------------------|:-------------------------------------------------------| -| **Test Framework** | ginkgo for tier1 tests inside kubevirt repo | -| | pytest with openshift-virtualization-tests for tier2 tests | -| **CI/CD** | Standard Jenkins CI lanes, no special pipeline needed | -| **Other Tools** | Existing unprivileged_client fixture and RBAC utilities | +| Category | Tools/Frameworks | +|:-------------------|:-----------------| +| **Test Framework** | | +| **CI/CD** | | +| **Other Tools** | | -#### **6. Entry Criteria** +#### **4. Entry Criteria** - [ ] KubeVirt PR #16350 **merged** (upstream blocking dependency) - [ ] HCO downstream implementation **complete** (field integrated into HCO CR) - [ ] Requirements and design documents approved -- [ ] Test environment configured with HTPasswd IdP - [ ] Developer Handoff/QE Kickoff meeting completed -#### **7. Risks and Limitations** +#### **5. Risks** | Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | |:---------------------|:--------------------------------------------------------|:--------------------------------------------------------|:-----------| | Timeline/Schedule | KubeVirt PR #16350 not yet merged; blocks test implementation | Monitor PR status weekly; prepare test infrastructure in parallel | [x] Active | | Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 4 roles); focus on acceptance criteria | [ ] | -| Test Environment | Requires HTPasswd IdP setup; not all CI lanes support it | Use existing infrastructure; verify CI environment available | [ ] | | Dependencies | Blocking: PR #16350 merge. Soft: HCO downstream implementation | Track upstream progress; coordinate with HCO team | [x] Active | | Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | + #### **8. Known Limitations** - Feature implementation pending KubeVirt PR #16350 merge (no implementation to test yet) @@ -159,26 +142,19 @@ | Requirement ID | Requirement Summary | Test Scenario(s) | Test Type(s) | Priority | |:-------------------------|:-----------------------------------------------------|:------------------------------------------------------------------------|:-----------------|:---------| -| KubeVirt PR #16350 | `RoleAggregationStrategy config should keep aggregate labels when RoleAggregationStrategy is nil` || tier1 automation | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should keep aggregate labels when RoleAggregationStrategy is AggregateToDefault` || tier1 automation | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should create ClusterRole without aggregate labels when RoleAggregationStrategy is Manual` || tier1 auto | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should remove aggregate labels from existing ClusterRole when strategy changes to Manual` || tier1 auto | P0 | -| CNV-63822 (Acceptance 1) | Feature can be enabled via config | Set `spec.roleAggregation.enabled: False` in HCO CR; verify config persists | tier2 automation | P0 | -| CNV-63822 (Acceptance 2) | Unprivileged user blocked without RoleBinding (*Note 1) | Verify ForbiddenError when unprivileged user lacks binding | tier2 automation | P0 | -| CNV-63822 (Acceptance 3) | Explicit RoleBinding grants access (*Note 1) | Verify new user gains access after RoleBinding created | tier2 automation | P0 | -| CNV-63822 (Acceptance 4) | Feature can be disabled via config (*Note 1) | Verify new user gains access after feature disabling | tier2 automation | P0 | -| Default Behavior | Role aggregation enabled by default (Back. Comp.)| Verify default config enables automatic role aggregation | Regression | P0 | -| Y Upgrade Testing | Config preserved on Y upgrades (4.21.z → 4.22.0) | Test upgrade path preserves configuration and RBAC behavior | Regression | P0 | - -**Note 1:** Tests should create a ns with one global role assigned at a time and perform below actions to confirm functionality is correctly provided: - -| Global clusterRole | kubevirt.io clusterRole | what can do | what cannot do | -|:-------------------|:------------------------|:------------|:---------------| -| admin | kubevirt.io:admin | deletecollections| nothing | -| edit | kubevirt.io:edit | start/stop VM | deletecollections| -| view | kubevirt.io:view | get VM | start/stop VM| - -**Note 2:** tier2 automation tests can be inspired on *migrate* clusterRole tests: [test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) +| KubeVirt PR #16350 | `RoleAggregationStrategy config should keep aggregate labels when RoleAggregationStrategy is nil` | | tier1 automation | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should keep aggregate labels when RoleAggregationStrategy is AggregateToDefault` | | tier1 automation | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should create ClusterRole without aggregate labels when RoleAggregationStrategy is Manual` | | tier1 auto | P0 | +| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should remove aggregate labels from existing ClusterRole when strategy changes to Manual` | | tier1 auto | P0 | +| CNV-63822 | As an admin I can enable the feature via config in hyperconverged CR | Verify config persists once enabled | tier2 automation | P0 | +| | As an unprivileged user with admin role on a namespace, I cannot navigate into the virtualization view on openshift UI | Verify unprivileged user cannot see the view | tier2 automation | P0 | +| | As an unprivileged user with admin role on a namespace, I cannot perform kubevirt.io:admin actions with feature enabled | Verify ForbiddenError is returned | tier2 automation | P0 | +| | As an unprivileged user with edit role on a namespace, I cannot perform kubevirt.io:edit actions with feature enabled | Verify ForbiddenError is returned | tier2 automation | P0 | +| | As an unprivileged user with view role on a namespace, I cannot perform kubevirt.io:view actions with feature enabled| Verify ForbiddenError is returned | tier2 automation | P0 | +| | As an admin, I can add roleBinding kubevirt.io:admin to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:admin action | tier2 automation | P0 | +| | As an admin, I can add roleBinding kubevirt.io:edit to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:edit action | tier2 automation | P0 | +| | As an admin, I can add roleBinding kubevirt.io:view to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:view action | tier2 automation | P0 | +| | As an admin, I can disable the feature via config in hyperconverged CR | Verify config persists once disabled and unprivileged user with admin role in a namespace can perform kubevirt:admin action | tier2 automation | P0 | --- @@ -188,11 +164,12 @@ This Software Test Plan requires approval from the following stakeholders: * **Reviewers:** - [QE Lead / @rnester] - - [sig-iuo representative / @orenc1 @hmeir @OhadRevah albarker-rh] + - [sig-iuo representative / @orenc1 @hmeir @OhadRevah @albarker-rh] + - [sig-ui representative / @gouyang] * **Approvers:** - [QE Manager / @kmajcher-rh @fabiand] - - [Product Manager / TBD] + - [Product Manager / Ronen Sde-Or] **Review Status:** - [X] Draft complete From 1b0b929a454164d9f7c97d4aa42e3e977c8e26bc Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 14 Apr 2026 13:16:57 -0400 Subject: [PATCH 03/21] Address second round of comments and update status MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ramón Lobillo Signed-off-by: albarker-rh --- ... => CNV-63822-role-aggregation-opt-out.md} | 40 ++++++++----------- 1 file changed, 17 insertions(+), 23 deletions(-) rename stps/sig-iuo/{CNV-63822-role-aggregation-opt-out/stp.md => CNV-63822-role-aggregation-opt-out.md} (80%) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md similarity index 80% rename from stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md rename to stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 5c708ca..a79a64b 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -7,13 +7,12 @@ | Field | Details | |:-----------------------|:--------------------------------------------------------| | **Enhancement(s)** | [Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) | -| |KubeVirt PR #16350 (pending merge) | | **Feature in Jira** | [CNV-50792](https://issues.redhat.com/browse/CNV-50792) | | **Jira Tracking** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | | **QE Owner(s)** | Ramon Lobillo (@rlobillo), Alex Barker (@albarker-rh) | | **Owning SIG** | sig-iuo (Install, Upgrade, Operators) | | **Participating SIGs** | sig-ui | -| **Current Status** | Draft - Waiting for upstream merge | +| **Current Status** | Draft | --- @@ -27,7 +26,7 @@ | **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | | **Customer Use Cases** | [x] | * multi-tenant clusters|different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| | | | * Resources usage control|cluster admin wants to get a request to allow a specific user to create VMs and Storage| -| **Testability** | [ ] | Blocked until KubeVirt PR #16350 merges; need to confirm field name and API | Cannot implement tests without actual implementation | +| **Testability** | [ ] | Blocked until HCO API modification is available; need to confirm field name and API | Cannot implement tests without actual implementation | | **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Defined in CNV-63822 epic | | **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | @@ -35,10 +34,10 @@ | Check | Done | Details/Notes | Comments | |:---------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| -| **Developer Handoff/QE Kickoff** | [ ] | Pending KubeVirt PR #16350 merge; will schedule once API is confirmed | Need exact config field name and allowed values | +| **Developer Handoff/QE Kickoff** | [x] ||| | **Technology Challenges** | [x] | N/A || | **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | -| **API Extensions** | [ ] | KubeVirt spec field TBD; likely under spec.configuration per PR #16350 | Cannot finalize until upstream merged | +| **API Extensions** | [ ] | hco spec field TBD; | Cannot finalize until feature is completely implemented | | **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | @@ -50,7 +49,6 @@ **Testing Goals** - [P0] Verify opt-out role aggregation can be enabled via hyperconvergeds.hco.kubevirt.io config - [P0] Unprivileged users cannot access kubevirt resources without explicit RoleBinding when feature is enabled -- [P0] Unprivileged users cannot access Virtualization view in UI without explicit RoleBinding when feature is enabled - [P0] Explicit RoleBindings (admin, edit, view) grant access correctly - [P0] Verify opt-out role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config @@ -78,7 +76,7 @@ | Automation Testing | Ensures test cases are automated for continuous integration and regression coverage | Y | | | Performance Testing | Validates feature performance meets requirements (latency, throughput, resource usage) | N/A | | | Security Testing | Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning | Y | Feature is a security enhancement | -| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements. Does the feature require UI? If so, ensure the UI aligns with the requirements | Y | unprivileged user should not see Virtualization view on UI with feature Enabled | +| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements. Does the feature require UI? If so, ensure the UI aligns with the requirements | Y | [CNV-80935](https://issues.redhat.com/browse/CNV-80935) | | Compatibility Testing | Ensures feature works across supported platforms, versions, and configurations | Y | default behaviour will not change | | Regression Testing | Verifies that new changes do not break existing functionality | Y | | | Upgrade Testing | Validates upgrade paths from previous versions, data migration, and configuration preservation | Y | | @@ -114,7 +112,7 @@ #### **4. Entry Criteria** -- [ ] KubeVirt PR #16350 **merged** (upstream blocking dependency) +- [X] KubeVirt PR #16350 **merged** - [ ] HCO downstream implementation **complete** (field integrated into HCO CR) - [ ] Requirements and design documents approved - [ ] Developer Handoff/QE Kickoff meeting completed @@ -123,18 +121,15 @@ | Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | |:---------------------|:--------------------------------------------------------|:--------------------------------------------------------|:-----------| -| Timeline/Schedule | KubeVirt PR #16350 not yet merged; blocks test implementation | Monitor PR status weekly; prepare test infrastructure in parallel | [x] Active | +| IU adaptations | The feature description mentions IU changes that are still pending to concrete | Discussion started and will be tracked with IU team | [x] Active | | Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 4 roles); focus on acceptance criteria | [ ] | -| Dependencies | Blocking: PR #16350 merge. Soft: HCO downstream implementation | Track upstream progress; coordinate with HCO team | [x] Active | +| Dependencies | HCO downstream implementation | Track progress and coordinate with HCO team | [x] Active | | Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | #### **8. Known Limitations** -- Feature implementation pending KubeVirt PR #16350 merge (no implementation to test yet) -- Testing scope limited to HTPasswd identity provider -- Upgrade testing from CNV <4.21 only tests "feature not available" → "feature available" scenario -- Cannot test production-scale multi-tenant environments (functional correctness sufficient at smaller scale) +No limitations. --- @@ -146,14 +141,13 @@ | KubeVirt PR #16350 | `RoleAggregationStrategy configuration should keep aggregate labels when RoleAggregationStrategy is AggregateToDefault` | | tier1 automation | P0 | | KubeVirt PR #16350 | `RoleAggregationStrategy configuration should create ClusterRole without aggregate labels when RoleAggregationStrategy is Manual` | | tier1 auto | P0 | | KubeVirt PR #16350 | `RoleAggregationStrategy configuration should remove aggregate labels from existing ClusterRole when strategy changes to Manual` | | tier1 auto | P0 | -| CNV-63822 | As an admin I can enable the feature via config in hyperconverged CR | Verify config persists once enabled | tier2 automation | P0 | -| | As an unprivileged user with admin role on a namespace, I cannot navigate into the virtualization view on openshift UI | Verify unprivileged user cannot see the view | tier2 automation | P0 | -| | As an unprivileged user with admin role on a namespace, I cannot perform kubevirt.io:admin actions with feature enabled | Verify ForbiddenError is returned | tier2 automation | P0 | -| | As an unprivileged user with edit role on a namespace, I cannot perform kubevirt.io:edit actions with feature enabled | Verify ForbiddenError is returned | tier2 automation | P0 | -| | As an unprivileged user with view role on a namespace, I cannot perform kubevirt.io:view actions with feature enabled| Verify ForbiddenError is returned | tier2 automation | P0 | -| | As an admin, I can add roleBinding kubevirt.io:admin to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:admin action | tier2 automation | P0 | -| | As an admin, I can add roleBinding kubevirt.io:edit to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:edit action | tier2 automation | P0 | -| | As an admin, I can add roleBinding kubevirt.io:view to unprevileged user in a namespace with feature enabled| Verify unprivileged user can perform kubevirt.io:view action | tier2 automation | P0 | +| CNV-63822 | As an admin, I can enable the feature via config in hyperconverged CR | Verify config persists once enabled | tier2 automation | P0 | +| | As an admin, I can enable the feature so an unprivileged user with admin role on a namespace cannot perform kubevirt.io:admin actions | Verify user gets ForbiddenError | tier2 automation | P0 | +| | As an admin, I can enable the feature so an unprivileged user with edit role on a namespace cannot perform kubevirt.io:edit actions | Verify user gets ForbiddenError | tier2 automation | P0 | +| | As an admin, I can enable the feature so an unprivileged user with view role on a namespace cannot perform kubevirt.io:view actions | Verify user getse ForbiddenError | tier2 automation | P0 | +| | As an admin, I can specifically add kubevirt.io:admin permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | +| | As an admin, I can specifically add kubevirt.io:edit permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | +| | As an admin, I can specifically add kubevirt.io:view permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | | | As an admin, I can disable the feature via config in hyperconverged CR | Verify config persists once disabled and unprivileged user with admin role in a namespace can perform kubevirt:admin action | tier2 automation | P0 | --- @@ -174,6 +168,6 @@ This Software Test Plan requires approval from the following stakeholders: **Review Status:** - [X] Draft complete - [ ] QE team reviewed -- [ ] Dev/Arch reviewed (pending KubeVirt PR #16350 merge) +- [ ] Dev/Arch reviewed - [ ] PM approved - [ ] Ready for implementation From dcd160b480efa4fc8dfd7bd8fc1e1409d9f96a1e Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Mon, 13 Apr 2026 10:40:56 -0400 Subject: [PATCH 04/21] hco implementation completed Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index a79a64b..146f83d 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -20,25 +20,25 @@ #### **1. Requirement & User Story Review Checklist** -| Check | Done | Details/Notes | Comments | -|:---------------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| -| **Review Requirements** | [x] | As a cluster-admin I want to decide which users will have access to the virtualization in the cluster. Not all project-admins should have this access but only the eligible ones | Per CNV-50792 feature request | -| **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | -| **Customer Use Cases** | [x] | * multi-tenant clusters|different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| -| | | * Resources usage control|cluster admin wants to get a request to allow a specific user to create VMs and Storage| -| **Testability** | [ ] | Blocked until HCO API modification is available; need to confirm field name and API | Cannot implement tests without actual implementation | -| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Defined in CNV-63822 epic | -| **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | +| Check | Done | Details/Notes | Comments | +|:---------------------------------------|:-----|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------| +| **Review Requirements** | [x] | As a cluster-admin I want to decide which users will have access to the virtualization in the cluster. Not all project-admins should have this access but only the eligible ones | Per CNV-50792 feature request | +| **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | +| **Customer Use Cases** | [x] | * multi-tenant clusters |different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| +| | | * Resources usage control |cluster admin wants to get a request to allow a specific user to create VMs and Storage| +| **Testability** | [x] | HCO API modification is available with feature gate OptOutRoleAggregation and field roleAggregationStrategy | Ready to implement tests | +| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Defined in CNV-63822 epic | +| **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | #### **2. Technology and Design Review** -| Check | Done | Details/Notes | Comments | -|:---------------------------------|:-----|:--------------------------------------------------------------------------------|:------------------------------------------------------| -| **Developer Handoff/QE Kickoff** | [x] ||| -| **Technology Challenges** | [x] | N/A || -| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | -| **API Extensions** | [ ] | hco spec field TBD; | Cannot finalize until feature is completely implemented | -| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | +| Check | Done | Details/Notes | Comments | +|:---------------------------------|:-----|:----------------------------------------------------------------------------|:-------------------------------------------------| +| **Developer Handoff/QE Kickoff** | [x] | | | +| **Technology Challenges** | [x] | N/A | | +| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | +| **API Extensions** | [x] | HCO spec field roleAggregationStrategy; | Feature is implemented | +| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | @@ -113,18 +113,18 @@ #### **4. Entry Criteria** - [X] KubeVirt PR #16350 **merged** -- [ ] HCO downstream implementation **complete** (field integrated into HCO CR) +- [X] HCO downstream implementation **complete** (field integrated into HCO CR) - [ ] Requirements and design documents approved - [ ] Developer Handoff/QE Kickoff meeting completed #### **5. Risks** -| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | -|:---------------------|:--------------------------------------------------------|:--------------------------------------------------------|:-----------| -| IU adaptations | The feature description mentions IU changes that are still pending to concrete | Discussion started and will be tracked with IU team | [x] Active | -| Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 4 roles); focus on acceptance criteria | [ ] | -| Dependencies | HCO downstream implementation | Track progress and coordinate with HCO team | [x] Active | -| Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | +| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | +|:-------------------|:-------------------------------------------------------------------------------|:----------------------------------------------------------------|:-----------| +| UI adaptations | The feature description mentions UI changes that are still pending to concrete | Discussion started and will be tracked with UI team | [x] Active | +| Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 3 roles); focus on acceptance criteria | [ ] | +| Dependencies | HCO downstream implementation | Track progress and coordinate with HCO team | [ ] | +| Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | #### **8. Known Limitations** From 3a9c2b5ef9ad26f07e74b9b44bcd582bd8142f5f Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 14 Apr 2026 09:44:55 -0400 Subject: [PATCH 05/21] updated stp using new AGENTS.md specification Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 157 ++++++++++-------- 1 file changed, 91 insertions(+), 66 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 146f83d..fdbf7b3 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -14,6 +14,19 @@ | **Participating SIGs** | sig-ui | | **Current Status** | Draft | +**Document Conventions (if applicable):** N/A — no feature-specific terms required. + +### **Feature Overview** + +Role Aggregation Opt-Out gives cluster administrators the ability to control which users can +access OpenShift Virtualization resources on a per-namespace basis. By default, OpenShift +Virtualization grants all project administrators, editors, and viewers automatic access to +virtualization resources through role aggregation. When opt-out is enabled, this automatic +access is removed, and administrators must explicitly grant virtualization permissions to +individual users through role bindings. This feature supports multi-tenant environments where +not all users should have access to virtualization workloads, and enables fine-grained control +over resource usage across namespaces. + --- ### **I. Motivation and Requirements Review (QE Review Guidelines)** @@ -26,19 +39,24 @@ | **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | | **Customer Use Cases** | [x] | * multi-tenant clusters |different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| | | | * Resources usage control |cluster admin wants to get a request to allow a specific user to create VMs and Storage| -| **Testability** | [x] | HCO API modification is available with feature gate OptOutRoleAggregation and field roleAggregationStrategy | Ready to implement tests | -| **Acceptance Criteria** | [x] | (1) Config disables aggregation, (2) Users blocked without RoleBinding, (3) RoleBinding grants access | Defined in CNV-63822 epic | -| **Non-Functional Requirements (NFRs)** | [x] | Security (RBAC hardening), Backward Compatibility (default unchanged) | Upgrade and docs coverage required | +| **Testability** | [x] | All requirements are testable through standard API and RBAC validation | Ready to implement tests | +| **Acceptance Criteria** | [x] | (1) When opt-out is enabled, a project admin in a namespace receives Forbidden when attempting virtualization actions (2) When opt-out is enabled, explicit role bindings for admin/edit/view grant the corresponding virtualization access (3) When opt-out is disabled (default), all users with project roles retain automatic access — no change from previous releases (4) Configuration changes persist without cluster restart | Defined in CNV-63822 epic | +| **Non-Functional Requirements (NFRs)** | [x] | Security: RBAC hardening — users blocked without explicit grant. Backward Compatibility: default unchanged. UI: console changes tracked under CNV-80935. Docs: user-facing documentation required. Performance: N/A — negligible RBAC overhead. Monitoring: N/A — no new metrics/alerts, uses standard Kubernetes RBAC. Scalability: N/A — scales with Kubernetes natively. Observability: N/A — standard audit logging covers RBAC decisions | Upgrade and docs coverage required | -#### **2. Technology and Design Review** +#### **2. Known Limitations** -| Check | Done | Details/Notes | Comments | -|:---------------------------------|:-----|:----------------------------------------------------------------------------|:-------------------------------------------------| -| **Developer Handoff/QE Kickoff** | [x] | | | -| **Technology Challenges** | [x] | N/A | | -| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | -| **API Extensions** | [x] | HCO spec field roleAggregationStrategy; | Feature is implemented | -| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | +None — reviewed and confirmed with [Name/Date — TBD] that no feature limitations apply for +this release. + +#### **3. Technology and Design Review** + +| Check | Done | Details/Notes | Comments | +|:---------------------------------|:-----|:-------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------| +| **Developer Handoff/QE Kickoff** | [x] | The feature is behind a KubeVirt feature-gate. When the feature is enabled in Openshift, HCO will automatically add the feature-gate | | +| **Technology Challenges** | [x] | N/A | | +| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | +| **API Extensions** | [x] | New cluster-level configuration field to control role aggregation behavior (default: enabled, opt-out: manual) | Tests must validate config changes and downstream RBAC effects | +| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | @@ -47,44 +65,54 @@ #### **1. Scope of Testing** **Testing Goals** -- [P0] Verify opt-out role aggregation can be enabled via hyperconvergeds.hco.kubevirt.io config -- [P0] Unprivileged users cannot access kubevirt resources without explicit RoleBinding when feature is enabled -- [P0] Explicit RoleBindings (admin, edit, view) grant access correctly -- [P0] Verify opt-out role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config - -**Backward compatibility Goals** -- [P0] Default behavior (role aggregation enabled) remains unchanged -- [P0] Default behaviour is preserved across CNV z-stream upgrades +- **[P0]** Verify a cluster administrator can enable role aggregation opt-out through the cluster configuration and the setting persists +- **[P0]** Verify that when opt-out is enabled, an unprivileged user with a project admin role cannot perform virtualization admin actions (receives Forbidden error) +- **[P0]** Verify that when opt-out is enabled, an unprivileged user with an edit role cannot perform virtualization edit actions (receives Forbidden error) +- **[P0]** Verify that when opt-out is enabled, an unprivileged user with a view role cannot perform virtualization view actions (receives Forbidden error) +- **[P0]** Verify that a cluster administrator can explicitly grant virtualization admin, edit, and view permissions to a user when opt-out is enabled, and the user can perform the corresponding actions +- **[P0]** Verify a cluster administrator can disable role aggregation opt-out and default automatic access is restored +- **[P0]** Verify default behavior (role aggregation enabled) remains unchanged when the feature is not configured +- **[P0]** Verify default behavior is preserved across OpenShift Virtualization z-stream upgrades +- **[P1]** Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it +- **[P1]** Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's virtualization access **Out of Scope:** | Out-of-Scope Item | Rationale | PM/ Lead Agreement | |:----------------------------------------------------------|:------------------------------------------------------------------------------|:-------------------| -| Testing OpenShift RBAC infrastructure itself | OCP responsibility | [ ] TBD | -| Testing all rules within kubevirt.io roles | kubevirt.io:{admin,edit,view} clusterroles contains rules that are not affected by this feature | [ ] TBD | -| External IdP compatibility (LDAP, Active Directory) | RBAC is IdP-agnostic; HTPasswd testing validates core logic | [ ] TBD | -| Multi-tenant cluster scale testing (100+ users) | RBAC overhead negligible; functional correctness sufficient at smaller scale | [ ] TBD | -| Testing kubevirt.io:migrate role aggregation | Already covered on tier2 regression testing: [test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) | [ ] TBD | +| Testing OpenShift RBAC infrastructure itself | Core RBAC evaluation is the responsibility of the OCP platform team; no duplication of their test effort | [Name/Date — TBD] | +| Testing all individual permission rules within virtualization roles | Individual role rules are not affected by this feature; this feature controls whether roles are aggregated, not the content of the roles themselves | [Name/Date — TBD] | +| External IdP compatibility (LDAP, Active Directory) | RBAC logic is IdP-agnostic; HTPasswd testing validates the core permission logic | [Name/Date — TBD] | +| Multi-tenant cluster scale testing (100+ users) | RBAC evaluation overhead is negligible; functional correctness at smaller scale is sufficient | [Name/Date — TBD] | + +**Note:** Migrate role aggregation testing is already covered by existing tier 2 regression tests +([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)) +and is therefore documented as existing coverage, not out of scope. + +**Test Limitations** + +None — reviewed and confirmed that no test limitations apply for this release. +*Sign-off:* [Name/Date — TBD] #### **2. Test Strategy** -| Item | Description | Applicable (Y/N or N/A) | Comments | -|:-------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------| -| Functional Testing | Validates that the feature works according to specified requirements and user stories | Y | Core focus: verify RBAC opt-out behaviour | -| Automation Testing | Ensures test cases are automated for continuous integration and regression coverage | Y | | -| Performance Testing | Validates feature performance meets requirements (latency, throughput, resource usage) | N/A | | -| Security Testing | Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning | Y | Feature is a security enhancement | -| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements. Does the feature require UI? If so, ensure the UI aligns with the requirements | Y | [CNV-80935](https://issues.redhat.com/browse/CNV-80935) | -| Compatibility Testing | Ensures feature works across supported platforms, versions, and configurations | Y | default behaviour will not change | -| Regression Testing | Verifies that new changes do not break existing functionality | Y | | -| Upgrade Testing | Validates upgrade paths from previous versions, data migration, and configuration preservation | Y | | -| Backward Compatibility Testing | Ensures feature maintains compatibility with previous API versions and configurations | Y | | -| Dependencies | Dependent on deliverables from other components/products? Identify what is tested by which team. | N | | -| Cross Integrations | Does the feature affect other features/require testing by other components? Identify what is tested by which team. | Y | UI | -| Monitoring | Does the feature require metrics and/or alerts? | N | | -| Cloud Testing | Does the feature require multi-cloud platform testing? Consider cloud-specific features. | N | | +| Item | Description | Applicable (Y/N or N/A) | Comments | +|:-------------------|:-------------------------------------------------------------------------------------------------------------------|:------------------------|:---------| +| Functional Testing | Validates that the feature works according to specified requirements and user stories | Y | Core focus: verify opt-out configuration, RBAC enforcement, explicit grants, and default behavior preservation | +| Automation Testing | Ensures test cases are automated for continuous integration and regression coverage | Y | All tier 1 and tier 2 tests automated; tier 1 validates configuration, tier 2 validates end-to-end user workflows | +| Regression Testing | Verifies that new changes do not break existing functionality | Y | Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster | +| Performance Testing | Validates feature performance meets requirements (latency, throughput, resource usage) | N/A | Feature adds no performance-sensitive operations; RBAC evaluation overhead is negligible | +| Scale Testing | Validates feature behavior under increased load and at production-like scale | N/A | Kubernetes RBAC scales natively; feature does not introduce new scalability concerns | +| Security Testing | Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning | Y | Feature is a security enhancement; tests verify users are correctly blocked and explicit grants work for all 3 role levels | +| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements | Y | UI changes tracked under [CNV-80935](https://issues.redhat.com/browse/CNV-80935); UI team (sig-ui) owns console testing; QE validates config workflow feedback | +| Monitoring | Does the feature require metrics and/or alerts? | N | No new metrics or alerts required; feature uses standard Kubernetes RBAC | +| Compatibility Testing | Ensures feature works across supported platforms, versions, and configurations; includes backward compatibility | Y | Default behavior unchanged; backward compatibility with previous API versions maintained | +| Upgrade Testing | Validates upgrade paths from previous versions, data migration, and configuration preservation | Y | Verify default behavior preserved across z-stream upgrades; verify opt-out config persists after upgrade | +| Dependencies | Dependent on deliverables from other components/products? Identify what is tested by which team | N | No blocking dependencies; upstream and downstream implementations are complete | +| Cross Integrations | Does the feature affect other features/require testing by other components? Identify what is tested by which team | Y | UI team (sig-ui) needs to implement and test console changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)) | +| Cloud Testing | Does the feature require multi-cloud platform testing? Consider cloud-specific features | N | Feature is RBAC-based and platform-independent; no cloud-specific behavior | #### **3. Test Environment** @@ -106,9 +134,9 @@ | Category | Tools/Frameworks | |:-------------------|:-----------------| -| **Test Framework** | | -| **CI/CD** | | -| **Other Tools** | | +| **Test Framework** | Standard | +| **CI/CD** | N/A | +| **Other Tools** | N/A | #### **4. Entry Criteria** @@ -119,36 +147,33 @@ #### **5. Risks** -| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Status | -|:-------------------|:-------------------------------------------------------------------------------|:----------------------------------------------------------------|:-----------| -| UI adaptations | The feature description mentions UI changes that are still pending to concrete | Discussion started and will be tracked with UI team | [x] Active | -| Test Coverage | Cannot exhaustively test all RBAC role combinations | Test critical paths (all 3 roles); focus on acceptance criteria | [ ] | -| Dependencies | HCO downstream implementation | Track progress and coordinate with HCO team | [ ] | -| Untestable Aspects | Limited to HTPasswd; cannot test LDAP/AD/OAuth | RBAC logic is IdP-agnostic; HTPasswd validation sufficient | [ ] | - - -#### **8. Known Limitations** +| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Sign-off | +|:---------------------|:-------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------|:-------------------| +| Timeline/Schedule | N/A — feature implementation is complete (upstream and downstream) | N/A | [Name/Date — TBD] | +| Test Coverage | Cannot exhaustively test all RBAC role combinations and permission permutations | Focus on the 3 critical role levels (admin, edit, view) covering acceptance criteria; individual permission rules within roles are unaffected by this feature | [Name/Date — TBD] | +| Test Environment | N/A — standard OCP cluster with HTPasswd IdP is sufficient; no special hardware required | N/A | [Name/Date — TBD] | +| Untestable Aspects | Cannot test with production identity providers (LDAP, Active Directory, OAuth) in the lab | RBAC logic is IdP-agnostic; HTPasswd validation covers the enforcement path regardless of IdP | [Name/Date — TBD] | +| Resource Constraints | N/A — no staffing or capacity constraints; feature testing scope is manageable with assigned QE resources | N/A | [Name/Date — TBD] | +| Dependencies | UI changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)) are pending; console configuration interface may not be ready for testing | Track progress with UI team (sig-ui); API-level testing can proceed independently of UI | [Name/Date — TBD] | +| Other | N/A — no additional risks identified | N/A | [Name/Date — TBD] | -No limitations. --- ### **III. Test Scenarios & Traceability** -| Requirement ID | Requirement Summary | Test Scenario(s) | Test Type(s) | Priority | -|:-------------------------|:-----------------------------------------------------|:------------------------------------------------------------------------|:-----------------|:---------| -| KubeVirt PR #16350 | `RoleAggregationStrategy config should keep aggregate labels when RoleAggregationStrategy is nil` | | tier1 automation | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should keep aggregate labels when RoleAggregationStrategy is AggregateToDefault` | | tier1 automation | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should create ClusterRole without aggregate labels when RoleAggregationStrategy is Manual` | | tier1 auto | P0 | -| KubeVirt PR #16350 | `RoleAggregationStrategy configuration should remove aggregate labels from existing ClusterRole when strategy changes to Manual` | | tier1 auto | P0 | -| CNV-63822 | As an admin, I can enable the feature via config in hyperconverged CR | Verify config persists once enabled | tier2 automation | P0 | -| | As an admin, I can enable the feature so an unprivileged user with admin role on a namespace cannot perform kubevirt.io:admin actions | Verify user gets ForbiddenError | tier2 automation | P0 | -| | As an admin, I can enable the feature so an unprivileged user with edit role on a namespace cannot perform kubevirt.io:edit actions | Verify user gets ForbiddenError | tier2 automation | P0 | -| | As an admin, I can enable the feature so an unprivileged user with view role on a namespace cannot perform kubevirt.io:view actions | Verify user getse ForbiddenError | tier2 automation | P0 | -| | As an admin, I can specifically add kubevirt.io:admin permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | -| | As an admin, I can specifically add kubevirt.io:edit permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | -| | As an admin, I can specifically add kubevirt.io:view permissions to an unprivileged user in a namespace when feature is enabled| Verify user can perform action | tier2 automation | P0 | -| | As an admin, I can disable the feature via config in hyperconverged CR | Verify config persists once disabled and unprivileged user with admin role in a namespace can perform kubevirt:admin action | tier2 automation | P0 | +| Requirement ID | Requirement Summary | Test Scenario(s) | Test Type(s) | Priority | +|:---------------|:-----------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------|:---------| +| CNV-63822 | As a cluster admin, I want to control the role aggregation strategy for virtualization resources | Verify default behavior is preserved when role aggregation opt-out is not configured — all users retain automatic access | tier1 automation | P0 | +| | | Verify default behavior is preserved when aggregation strategy is explicitly set to the default mode | tier1 automation | P0 | +| | | Verify that when opt-out mode is enabled, virtualization roles no longer automatically grant access to users | tier1 automation | P0 | +| | | Verify that switching from default to opt-out mode removes previously aggregated access from existing roles | tier1 automation | P0 | +| CNV-63822 | As a cluster admin, I want to enable opt-out so unprivileged users cannot access virtualization resources | Verify opt-out can be enabled via cluster configuration and the setting persists | tier2 automation | P0 | +| | | Verify an unprivileged user with admin/edit/view role cannot perform virtualization admin/edit/view actions when opt-out is enabled (receives Forbidden error) | tier2 automation | P0 | +| CNV-63822 | As a cluster admin, I want to explicitly grant virtualization permissions to specific users | Verify a cluster admin can grant virtualization admin/edit/view permissions to a user in a namespace and the user can perform admin/edit/view actions | tier2 automation | P0 | +| CNV-63822 | As a cluster admin, I want to disable opt-out to restore default behavior | Verify opt-out can be disabled and default automatic access is restored for users | tier2 automation | P0 | +| | | Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it | tier2 automation | P1 | +| CNV-63822 | As a cluster admin, I want revoking a role binding to immediately remove virtualization access | Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's access | tier2 automation | P1 | --- From ad316c02a05de572326146579c5af2c734e88453 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 14 Apr 2026 13:35:22 -0400 Subject: [PATCH 06/21] added platform spec examples, filled in dev handoff and tech challenges comments Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index fdbf7b3..c6cc70d 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -50,13 +50,13 @@ this release. #### **3. Technology and Design Review** -| Check | Done | Details/Notes | Comments | -|:---------------------------------|:-----|:-------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------| -| **Developer Handoff/QE Kickoff** | [x] | The feature is behind a KubeVirt feature-gate. When the feature is enabled in Openshift, HCO will automatically add the feature-gate | | -| **Technology Challenges** | [x] | N/A | | -| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | +| Check | Done | Details/Notes | Comments | +|:---------------------------------|:-----|:-------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| +| **Developer Handoff/QE Kickoff** | [x] | The feature is behind a KubeVirt feature-gate. When the feature is enabled in Openshift, HCO will automatically add the feature-gate | Implementation details discussed, ready for testing | +| **Technology Challenges** | [x] | N/A | N/A | +| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | | **API Extensions** | [x] | New cluster-level configuration field to control role aggregation behavior (default: enabled, opt-out: manual) | Tests must validate config changes and downstream RBAC effects | -| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | +| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | @@ -127,7 +127,7 @@ None — reviewed and confirmed that no test limitations apply for this release. | **Storage** | Any RWX storage class | ocs-storagecluster-ceph-rbd-virtualization | | **Network** | Default (OVN-Kubernetes) | No special network requirements | | **Required Operators** | OpenShift Virtualization | Standard CNV installation | -| **Platform** | Any supported platform | | +| **Platform** | Any supported platform | Bare metal, AWS, Azure, GCP — no platform-specific behavior | | **Special Configurations** | HTPasswd identity provider | REQUIRED: Must have HTPasswd IdP with unprivileged user | #### **3.1. Testing Tools & Frameworks** From c804426f3d8e5bfd5c26505358ec5207e2854e9b Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Wed, 15 Apr 2026 15:40:05 -0400 Subject: [PATCH 07/21] refactored stp to fit new template Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 372 +++++++++++++----- 1 file changed, 267 insertions(+), 105 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index c6cc70d..b603cdf 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -4,15 +4,12 @@ ### **Metadata & Tracking** -| Field | Details | -|:-----------------------|:--------------------------------------------------------| -| **Enhancement(s)** | [Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) | -| **Feature in Jira** | [CNV-50792](https://issues.redhat.com/browse/CNV-50792) | -| **Jira Tracking** | [CNV-63822](https://issues.redhat.com/browse/CNV-63822) | -| **QE Owner(s)** | Ramon Lobillo (@rlobillo), Alex Barker (@albarker-rh) | -| **Owning SIG** | sig-iuo (Install, Upgrade, Operators) | -| **Participating SIGs** | sig-ui | -| **Current Status** | Draft | +- **Enhancement(s):** [Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) +- **Feature Tracking:** [CNV-50792](https://issues.redhat.com/browse/CNV-50792) +- **Epic Tracking:** [CNV-63822](https://issues.redhat.com/browse/CNV-63822) +- **QE Owner(s):** Ramon Lobillo (@rlobillo), Alex Barker (@albarker-rh) +- **Owning SIG:** sig-iuo (Install, Upgrade, Operators) +- **Participating SIGs:** sig-ui **Document Conventions (if applicable):** N/A — no feature-specific terms required. @@ -31,37 +28,90 @@ over resource usage across namespaces. ### **I. Motivation and Requirements Review (QE Review Guidelines)** +This section documents the mandatory QE review process. The goal is to understand the feature's value, +technology, and testability before formal test planning. + #### **1. Requirement & User Story Review Checklist** -| Check | Done | Details/Notes | Comments | -|:---------------------------------------|:-----|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------| -| **Review Requirements** | [x] | As a cluster-admin I want to decide which users will have access to the virtualization in the cluster. Not all project-admins should have this access but only the eligible ones | Per CNV-50792 feature request | -| **Understand Value** | [x] | A cluster-admin wants to control which users has access to view/create/edit openshift virtualization resources on a given namespace | Per CNV-50792 feature request | -| **Customer Use Cases** | [x] | * multi-tenant clusters |different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to us| -| | | * Resources usage control |cluster admin wants to get a request to allow a specific user to create VMs and Storage| -| **Testability** | [x] | All requirements are testable through standard API and RBAC validation | Ready to implement tests | -| **Acceptance Criteria** | [x] | (1) When opt-out is enabled, a project admin in a namespace receives Forbidden when attempting virtualization actions (2) When opt-out is enabled, explicit role bindings for admin/edit/view grant the corresponding virtualization access (3) When opt-out is disabled (default), all users with project roles retain automatic access — no change from previous releases (4) Configuration changes persist without cluster restart | Defined in CNV-63822 epic | -| **Non-Functional Requirements (NFRs)** | [x] | Security: RBAC hardening — users blocked without explicit grant. Backward Compatibility: default unchanged. UI: console changes tracked under CNV-80935. Docs: user-facing documentation required. Performance: N/A — negligible RBAC overhead. Monitoring: N/A — no new metrics/alerts, uses standard Kubernetes RBAC. Scalability: N/A — scales with Kubernetes natively. Observability: N/A — standard audit logging covers RBAC decisions | Upgrade and docs coverage required | +- [x] **Review Requirements** + - *List the key D/S requirements reviewed:* As a cluster-admin I want to decide which users + will have access to the virtualization in the cluster. Not all project-admins should have + this access but only the eligible ones. Per CNV-50792 feature request. + +- [x] **Understand Value and Customer Use Cases** + - *Describe the feature's value to customers:* A cluster-admin wants to control which users + has access to view/create/edit openshift virtualization resources on a given namespace. + Per CNV-50792 feature request. + - *List the customer use cases identified:* + - Multi-tenant clusters — different namespaces are used to allow different workloads and + prevent unallowed usage of workload that the tenant is not eligible to use + - Resources usage control — cluster admin wants to get a request to allow a specific user + to create VMs and Storage + +- [x] **Testability** + - *Note any requirements that are unclear or untestable:* All requirements are testable + through standard API and RBAC validation. + +- [x] **Acceptance Criteria** + - *List the acceptance criteria:* + - When opt-out is enabled, a project admin in a namespace receives Forbidden when + attempting virtualization actions + - When opt-out is enabled, explicit role bindings for admin/edit/view grant the + corresponding virtualization access + - When opt-out is disabled (default), all users with project roles retain automatic + access — no change from previous releases + - Configuration changes persist without cluster restart + - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. + +- [x] **Non-Functional Requirements (NFRs)** + - *List applicable NFRs and their targets:* + - Security: RBAC hardening — users blocked without explicit grant + - Backward Compatibility: default unchanged + - UI: console changes tracked under CNV-80935 + - Docs: user-facing documentation required + - *Note any NFRs not covered and why:* + - Performance: N/A — negligible RBAC overhead + - Monitoring: N/A — no new metrics/alerts, uses standard Kubernetes RBAC + - Scalability: N/A — scales with Kubernetes natively + - Observability: N/A — standard audit logging covers RBAC decisions #### **2. Known Limitations** +The limitations are documented to ensure alignment between development, QA, and product teams. +The following are confirmed product constraints accepted before testing begins. + None — reviewed and confirmed with [Name/Date — TBD] that no feature limitations apply for this release. #### **3. Technology and Design Review** -| Check | Done | Details/Notes | Comments | -|:---------------------------------|:-----|:-------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| -| **Developer Handoff/QE Kickoff** | [x] | The feature is behind a KubeVirt feature-gate. When the feature is enabled in Openshift, HCO will automatically add the feature-gate | Implementation details discussed, ready for testing | -| **Technology Challenges** | [x] | N/A | N/A | -| **Test Environment Needs** | [x] | Standard OCP + CNV cluster with HTPasswd IdP for unprivileged user testing | No special hardware required | -| **API Extensions** | [x] | New cluster-level configuration field to control role aggregation behavior (default: enabled, opt-out: manual) | Tests must validate config changes and downstream RBAC effects | -| **Topology Considerations** | [x] | Feature is cluster-scoped (KubeVirt CR level), topology-independent | Works on all topologies (standard, SNO, compact) | +- [x] **Developer Handoff/QE Kickoff** + - *Key takeaways and concerns:* The feature is behind a KubeVirt feature-gate. When the + feature is enabled in Openshift, HCO will automatically add the feature-gate. + Implementation details discussed, ready for testing. + +- [x] **Technology Challenges** + - *List identified challenges:* N/A + - *Impact on testing approach:* N/A + +- [x] **API Extensions** + - *List new or modified APIs:* New cluster-level configuration field to control role + aggregation behavior (default: enabled, opt-out: manual). + - *Testing impact:* Tests must validate config changes and downstream RBAC effects. +- [x] **Test Environment Needs** + - *See environment requirements in Section II.3 and testing tools in Section II.3.1* +- [x] **Topology Considerations** + - *Describe topology requirements:* Feature is cluster-scoped (KubeVirt CR level), + topology-independent. + - *Impact on test design:* Works on all topologies (standard, SNO, compact). ### **II. Software Test Plan (STP)** +This STP serves as the **overall roadmap for testing**, detailing the scope, approach, resources, +and schedule. + #### **1. Scope of Testing** **Testing Goals** @@ -77,103 +127,222 @@ this release. - **[P1]** Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it - **[P1]** Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's virtualization access -**Out of Scope:** +**Out of Scope (Testing Scope Exclusions)** + +The following items are explicitly Out of Scope for this test cycle and represent intentional +exclusions. No verification activities will be performed for these items, and any related issues +found will not be classified as defects for this release. + +- **Testing OpenShift RBAC infrastructure itself** + - *Rationale:* Core RBAC evaluation is the responsibility of the OCP platform team; no duplication of their test effort + - *PM/Lead Agreement:* [Name/Date — TBD] + +- **Testing all individual permission rules within virtualization roles** + - *Rationale:* Individual role rules are not affected by this feature; this feature controls whether roles are aggregated, not the content of the roles themselves + - *PM/Lead Agreement:* [Name/Date — TBD] -| Out-of-Scope Item | Rationale | PM/ Lead Agreement | -|:----------------------------------------------------------|:------------------------------------------------------------------------------|:-------------------| -| Testing OpenShift RBAC infrastructure itself | Core RBAC evaluation is the responsibility of the OCP platform team; no duplication of their test effort | [Name/Date — TBD] | -| Testing all individual permission rules within virtualization roles | Individual role rules are not affected by this feature; this feature controls whether roles are aggregated, not the content of the roles themselves | [Name/Date — TBD] | -| External IdP compatibility (LDAP, Active Directory) | RBAC logic is IdP-agnostic; HTPasswd testing validates the core permission logic | [Name/Date — TBD] | -| Multi-tenant cluster scale testing (100+ users) | RBAC evaluation overhead is negligible; functional correctness at smaller scale is sufficient | [Name/Date — TBD] | +- **External IdP compatibility (LDAP, Active Directory)** + - *Rationale:* RBAC logic is IdP-agnostic; HTPasswd testing validates the core permission logic + - *PM/Lead Agreement:* [Name/Date — TBD] -**Note:** Migrate role aggregation testing is already covered by existing tier 2 regression tests -([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)) -and is therefore documented as existing coverage, not out of scope. +- **Multi-tenant cluster scale testing (100+ users)** + - *Rationale:* RBAC evaluation overhead is negligible; functional correctness at smaller scale is sufficient + - *PM/Lead Agreement:* [Name/Date — TBD] **Test Limitations** None — reviewed and confirmed that no test limitations apply for this release. *Sign-off:* [Name/Date — TBD] - #### **2. Test Strategy** -| Item | Description | Applicable (Y/N or N/A) | Comments | -|:-------------------|:-------------------------------------------------------------------------------------------------------------------|:------------------------|:---------| -| Functional Testing | Validates that the feature works according to specified requirements and user stories | Y | Core focus: verify opt-out configuration, RBAC enforcement, explicit grants, and default behavior preservation | -| Automation Testing | Ensures test cases are automated for continuous integration and regression coverage | Y | All tier 1 and tier 2 tests automated; tier 1 validates configuration, tier 2 validates end-to-end user workflows | -| Regression Testing | Verifies that new changes do not break existing functionality | Y | Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster | -| Performance Testing | Validates feature performance meets requirements (latency, throughput, resource usage) | N/A | Feature adds no performance-sensitive operations; RBAC evaluation overhead is negligible | -| Scale Testing | Validates feature behavior under increased load and at production-like scale | N/A | Kubernetes RBAC scales natively; feature does not introduce new scalability concerns | -| Security Testing | Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning | Y | Feature is a security enhancement; tests verify users are correctly blocked and explicit grants work for all 3 role levels | -| Usability Testing | Validates user experience, UI/UX consistency, and accessibility requirements | Y | UI changes tracked under [CNV-80935](https://issues.redhat.com/browse/CNV-80935); UI team (sig-ui) owns console testing; QE validates config workflow feedback | -| Monitoring | Does the feature require metrics and/or alerts? | N | No new metrics or alerts required; feature uses standard Kubernetes RBAC | -| Compatibility Testing | Ensures feature works across supported platforms, versions, and configurations; includes backward compatibility | Y | Default behavior unchanged; backward compatibility with previous API versions maintained | -| Upgrade Testing | Validates upgrade paths from previous versions, data migration, and configuration preservation | Y | Verify default behavior preserved across z-stream upgrades; verify opt-out config persists after upgrade | -| Dependencies | Dependent on deliverables from other components/products? Identify what is tested by which team | N | No blocking dependencies; upstream and downstream implementations are complete | -| Cross Integrations | Does the feature affect other features/require testing by other components? Identify what is tested by which team | Y | UI team (sig-ui) needs to implement and test console changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)) | -| Cloud Testing | Does the feature require multi-cloud platform testing? Consider cloud-specific features | N | Feature is RBAC-based and platform-independent; no cloud-specific behavior | +**Functional** + +- [x] **Functional Testing** — Validates that the feature works according to specified requirements and user stories + - *Details:* Core focus: verify opt-out configuration, RBAC enforcement, explicit grants, and default behavior preservation. + +- [x] **Automation Testing** — Confirms test automation plan is in place for CI and regression coverage (all tests are expected to be automated) + - *Details:* All tier 1 and tier 2 tests automated; tier 1 validates configuration, tier 2 validates end-to-end user workflows. + +- [x] **Regression Testing** — Verifies that new changes do not break existing functionality + - *Details:* Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster. Migrate role aggregation is already covered by existing tier 2 regression tests ([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)). + +**Non-Functional** + +- [ ] **Performance Testing** — Validates feature performance meets requirements (latency, throughput, resource usage) + - *Details:* N/A — feature adds no performance-sensitive operations; RBAC evaluation overhead is negligible. + +- [ ] **Scale Testing** — Validates feature behavior under increased load and at production-like scale (e.g., large number of VMs, nodes, or concurrent operations) + - *Details:* N/A — Kubernetes RBAC scales natively; feature does not introduce new scalability concerns. + +- [x] **Security Testing** — Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning + - *Details:* Feature is a security enhancement; tests verify users are correctly blocked and explicit grants work for all 3 role levels. +- [x] **Usability Testing** — Validates user experience and accessibility requirements + - *Details:* UI changes tracked under [CNV-80935](https://issues.redhat.com/browse/CNV-80935); UI team (sig-ui) owns console testing; QE validates config workflow feedback. + +- [ ] **Monitoring** — Does the feature require metrics and/or alerts? + - *Details:* No new metrics or alerts required; feature uses standard Kubernetes RBAC. + +**Integration & Compatibility** + +- [x] **Compatibility Testing** — Ensures feature works across supported platforms, versions, and configurations + - *Details:* Default behavior unchanged; backward compatibility with previous API versions maintained. + +- [x] **Upgrade Testing** — Validates upgrade paths from previous versions, data migration, and configuration preservation + - *Details:* Verify default behavior preserved across z-stream upgrades; verify opt-out config persists after upgrade. + +- [ ] **Dependencies** — Blocked by deliverables from other components/products. Identify what we need from other teams before we can test. + - *Details:* No blocking dependencies; upstream and downstream implementations are complete. + +- [x] **Cross Integrations** — Does the feature affect other features or require testing by other teams? Identify the impact we cause. + - *Details:* UI team (sig-ui) needs to implement and test console changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)). + +**Infrastructure** + +- [ ] **Cloud Testing** — Does the feature require multi-cloud platform testing? Consider cloud-specific features. + - *Details:* N/A — feature is RBAC-based and platform-independent; no cloud-specific behavior. #### **3. Test Environment** -| Environment Component | Configuration | Specification Examples | -|:----------------------------------------------|:-------------------------------|:-------------------------------------------------------------------| -| **Cluster Topology** | Standard or SNO | Feature works on all topologies; multi-node preferred | -| **OCP & OpenShift Virtualization Version(s)** | OCP 4.22 with CNV 4.22 | Target version where feature introduced | -| **CPU Virtualization** | N/A | Not relevant for RBAC testing | -| **Compute Resources** | Standard cluster resources | Minimum per worker: 4 vCPUs, 16GB RAM | -| **Special Hardware** | N/A | No special hardware required | -| **Storage** | Any RWX storage class | ocs-storagecluster-ceph-rbd-virtualization | -| **Network** | Default (OVN-Kubernetes) | No special network requirements | -| **Required Operators** | OpenShift Virtualization | Standard CNV installation | -| **Platform** | Any supported platform | Bare metal, AWS, Azure, GCP — no platform-specific behavior | -| **Special Configurations** | HTPasswd identity provider | REQUIRED: Must have HTPasswd IdP with unprivileged user | +- **Cluster Topology:** Standard or SNO — feature works on all topologies; multi-node preferred + +- **OCP & OpenShift Virtualization Version(s):** OCP 4.22 with OpenShift Virtualization 4.22 + +- **CPU Virtualization:** N/A — not relevant for RBAC testing + +- **Compute Resources:** Minimum per worker node: 4 vCPUs, 16GB RAM + +- **Special Hardware:** N/A — no special hardware required + +- **Storage:** Any RWX storage class (e.g., ocs-storagecluster-ceph-rbd-virtualization) + +- **Network:** OVN-Kubernetes, IPv4 — no special network requirements + +- **Required Operators:** OpenShift Virtualization (standard installation) + +- **Platform:** Any supported platform (bare metal, AWS, Azure, GCP — no platform-specific behavior) + +- **Special Configurations:** HTPasswd identity provider — REQUIRED: Must have HTPasswd IdP with unprivileged user #### **3.1. Testing Tools & Frameworks** -| Category | Tools/Frameworks | -|:-------------------|:-----------------| -| **Test Framework** | Standard | -| **CI/CD** | N/A | -| **Other Tools** | N/A | +- **Test Framework:** Standard + +- **CI/CD:** N/A + +- **Other Tools:** N/A #### **4. Entry Criteria** -- [X] KubeVirt PR #16350 **merged** -- [X] HCO downstream implementation **complete** (field integrated into HCO CR) -- [ ] Requirements and design documents approved -- [ ] Developer Handoff/QE Kickoff meeting completed +The following conditions must be met before testing can begin: + +- [ ] Requirements and design documents are **approved and merged** +- [ ] Test environment can be **set up and configured** (see Section II.3 - Test Environment) +- [x] KubeVirt PR #16350 **merged** (upstream implementation) +- [x] HCO downstream implementation **complete** (field integrated into HCO CR) +- [x] Developer Handoff/QE Kickoff meeting completed #### **5. Risks** -| Risk Category | Specific Risk for This Feature | Mitigation Strategy | Sign-off | -|:---------------------|:-------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------|:-------------------| -| Timeline/Schedule | N/A — feature implementation is complete (upstream and downstream) | N/A | [Name/Date — TBD] | -| Test Coverage | Cannot exhaustively test all RBAC role combinations and permission permutations | Focus on the 3 critical role levels (admin, edit, view) covering acceptance criteria; individual permission rules within roles are unaffected by this feature | [Name/Date — TBD] | -| Test Environment | N/A — standard OCP cluster with HTPasswd IdP is sufficient; no special hardware required | N/A | [Name/Date — TBD] | -| Untestable Aspects | Cannot test with production identity providers (LDAP, Active Directory, OAuth) in the lab | RBAC logic is IdP-agnostic; HTPasswd validation covers the enforcement path regardless of IdP | [Name/Date — TBD] | -| Resource Constraints | N/A — no staffing or capacity constraints; feature testing scope is manageable with assigned QE resources | N/A | [Name/Date — TBD] | -| Dependencies | UI changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)) are pending; console configuration interface may not be ready for testing | Track progress with UI team (sig-ui); API-level testing can proceed independently of UI | [Name/Date — TBD] | -| Other | N/A — no additional risks identified | N/A | [Name/Date — TBD] | +**Timeline/Schedule** + +- **Risk:** N/A — feature implementation is complete (upstream and downstream). + - **Mitigation:** N/A + - *Estimated impact on schedule:* None + - *Sign-off:* [Name/Date — TBD] + +**Test Coverage** + +- **Risk:** Cannot exhaustively test all RBAC role combinations and permission permutations. + - **Mitigation:** Focus on the 3 critical role levels (admin, edit, view) covering acceptance criteria; individual permission rules within roles are unaffected by this feature. + - *Areas with reduced coverage:* Individual permission rules within each virtualization role; only role-level access is validated. + - *Sign-off:* [Name/Date — TBD] + +**Test Environment** + +- **Risk:** N/A — standard OCP cluster with HTPasswd IdP is sufficient; no special hardware required. + - **Mitigation:** N/A + - *Missing resources or infrastructure:* None + - *Sign-off:* [Name/Date — TBD] + +**Untestable Aspects** + +- **Risk:** Cannot test with production identity providers (LDAP, Active Directory, OAuth) in the lab. + - **Mitigation:** RBAC logic is IdP-agnostic; HTPasswd validation covers the enforcement path regardless of IdP. + - *Alternative validation approach:* Functional validation with HTPasswd covers the RBAC enforcement path regardless of IdP. + - *Sign-off:* [Name/Date — TBD] + +**Resource Constraints** + +- **Risk:** N/A — no staffing or capacity constraints; feature testing scope is manageable with assigned QE resources. + - **Mitigation:** N/A + - *Current capacity gaps:* None + - *Sign-off:* [Name/Date — TBD] + +**Dependencies** +- **Risk:** UI changes ([CNV-80935](https://issues.redhat.com/browse/CNV-80935)) are pending; console configuration interface may not be ready for testing. + - **Mitigation:** Track progress with UI team (sig-ui); API-level testing can proceed independently of UI. + - *Dependent teams or components:* sig-ui — console configuration interface for opt-out + - *Sign-off:* [Name/Date — TBD] + +**Other** + +- **Risk:** N/A — no additional risks identified. + - **Mitigation:** N/A + - *Sign-off:* [Name/Date — TBD] --- ### **III. Test Scenarios & Traceability** -| Requirement ID | Requirement Summary | Test Scenario(s) | Test Type(s) | Priority | -|:---------------|:-----------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------|:---------| -| CNV-63822 | As a cluster admin, I want to control the role aggregation strategy for virtualization resources | Verify default behavior is preserved when role aggregation opt-out is not configured — all users retain automatic access | tier1 automation | P0 | -| | | Verify default behavior is preserved when aggregation strategy is explicitly set to the default mode | tier1 automation | P0 | -| | | Verify that when opt-out mode is enabled, virtualization roles no longer automatically grant access to users | tier1 automation | P0 | -| | | Verify that switching from default to opt-out mode removes previously aggregated access from existing roles | tier1 automation | P0 | -| CNV-63822 | As a cluster admin, I want to enable opt-out so unprivileged users cannot access virtualization resources | Verify opt-out can be enabled via cluster configuration and the setting persists | tier2 automation | P0 | -| | | Verify an unprivileged user with admin/edit/view role cannot perform virtualization admin/edit/view actions when opt-out is enabled (receives Forbidden error) | tier2 automation | P0 | -| CNV-63822 | As a cluster admin, I want to explicitly grant virtualization permissions to specific users | Verify a cluster admin can grant virtualization admin/edit/view permissions to a user in a namespace and the user can perform admin/edit/view actions | tier2 automation | P0 | -| CNV-63822 | As a cluster admin, I want to disable opt-out to restore default behavior | Verify opt-out can be disabled and default automatic access is restored for users | tier2 automation | P0 | -| | | Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it | tier2 automation | P1 | -| CNV-63822 | As a cluster admin, I want revoking a role binding to immediately remove virtualization access | Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's access | tier2 automation | P1 | +- **[CNV-63822]** — As a cluster admin, I want to control the role aggregation strategy for virtualization resources + - *Test Scenario:* [Tier 1] Verify default behavior is preserved when role aggregation opt-out is not configured — all users retain automatic access + - *Priority:* P0 + + - *Test Scenario:* [Tier 1] Verify default behavior is preserved when aggregation strategy is explicitly set to the default mode + - *Priority:* P0 + + - *Test Scenario:* [Tier 1] Verify that when opt-out mode is enabled, virtualization roles no longer automatically grant access to users + - *Priority:* P0 + + - *Test Scenario:* [Tier 1] Verify that switching from default to opt-out mode removes previously aggregated access from existing roles + - *Priority:* P0 + +- **[CNV-63822]** — As a cluster admin, I want to enable opt-out so unprivileged users cannot access virtualization resources + - *Test Scenario:* [Tier 2] Verify opt-out can be enabled via cluster configuration and the setting persists + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify an unprivileged user with project admin role cannot perform virtualization admin actions when opt-out is enabled (receives Forbidden error) + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify an unprivileged user with edit role cannot perform virtualization edit actions when opt-out is enabled (receives Forbidden error) + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify an unprivileged user with view role cannot perform virtualization view actions when opt-out is enabled (receives Forbidden error) + - *Priority:* P0 + +- **[CNV-63822]** — As a cluster admin, I want to explicitly grant virtualization permissions to specific users + - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization admin permissions to a user in a namespace and the user can perform admin actions + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization edit permissions to a user in a namespace and the user can perform edit actions + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization view permissions to a user in a namespace and the user can view resources + - *Priority:* P0 + +- **[CNV-63822]** — As a cluster admin, I want to disable opt-out to restore default behavior + - *Test Scenario:* [Tier 2] Verify opt-out can be disabled and default automatic access is restored for users + - *Priority:* P0 + + - *Test Scenario:* [Tier 2] Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it + - *Priority:* P1 + +- **[CNV-63822]** — As a cluster admin, I want revoking a role binding to immediately remove virtualization access + - *Test Scenario:* [Tier 2] Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's access + - *Priority:* P1 --- @@ -182,17 +351,10 @@ None — reviewed and confirmed that no test limitations apply for this release. This Software Test Plan requires approval from the following stakeholders: * **Reviewers:** - - [QE Lead / @rnester] - - [sig-iuo representative / @orenc1 @hmeir @OhadRevah @albarker-rh] - - [sig-ui representative / @gouyang] + - QE Lead / @rnester + - sig-iuo representative / @orenc1 @hmeir @OhadRevah @albarker-rh + - sig-ui representative / @gouyang * **Approvers:** - - [QE Manager / @kmajcher-rh @fabiand] - - [Product Manager / Ronen Sde-Or] - -**Review Status:** -- [X] Draft complete -- [ ] QE team reviewed -- [ ] Dev/Arch reviewed -- [ ] PM approved -- [ ] Ready for implementation + - QE Manager / @kmajcher-rh @fabiand + - Product Manager / Ronen Sde-Or From 426bb2f06ae2ad6fe02f997bbcd6b6af87649dd3 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Thu, 16 Apr 2026 14:35:18 -0400 Subject: [PATCH 08/21] reformatted customer use cases into stories Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index b603cdf..73e97ae 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -43,10 +43,11 @@ technology, and testability before formal test planning. has access to view/create/edit openshift virtualization resources on a given namespace. Per CNV-50792 feature request. - *List the customer use cases identified:* - - Multi-tenant clusters — different namespaces are used to allow different workloads and - prevent unallowed usage of workload that the tenant is not eligible to use - - Resources usage control — cluster admin wants to get a request to allow a specific user - to create VMs and Storage + - As a cluster administrator managing a multi-tenant cluster, I want to prevent tenants + from accessing virtualization workloads they are not eligible to use, so that different + namespaces can enforce different workload entitlements + - As a cluster administrator, I want to require users to request approval before creating + VMs and consuming storage, so that I can control resource usage across namespaces - [x] **Testability** - *Note any requirements that are unclear or untestable:* All requirements are testable From 7bd68293393c3f1d06c735059a4e1042eb4b5ac2 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Fri, 17 Apr 2026 11:48:26 -0400 Subject: [PATCH 09/21] condensed feature overview Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 73e97ae..38ec51e 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -15,14 +15,10 @@ ### **Feature Overview** -Role Aggregation Opt-Out gives cluster administrators the ability to control which users can -access OpenShift Virtualization resources on a per-namespace basis. By default, OpenShift -Virtualization grants all project administrators, editors, and viewers automatic access to -virtualization resources through role aggregation. When opt-out is enabled, this automatic -access is removed, and administrators must explicitly grant virtualization permissions to -individual users through role bindings. This feature supports multi-tenant environments where -not all users should have access to virtualization workloads, and enables fine-grained control -over resource usage across namespaces. +By default, all project administrators, editors, and viewers automatically receive access to +OpenShift Virtualization resources. Role Aggregation Opt-Out allows cluster administrators to +disable this automatic access and instead grant virtualization permissions explicitly per user +and namespace, enabling fine-grained control in multi-tenant environments. --- From 4760987afcb56fe30545564e202e11009945288a Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Fri, 17 Apr 2026 11:58:12 -0400 Subject: [PATCH 10/21] added regression goals distinction Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 38ec51e..97ce7f9 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -100,8 +100,7 @@ this release. - *See environment requirements in Section II.3 and testing tools in Section II.3.1* - [x] **Topology Considerations** - - *Describe topology requirements:* Feature is cluster-scoped (KubeVirt CR level), - topology-independent. + - *Describe topology requirements:* Feature is cluster-scoped and topology-independent. - *Impact on test design:* Works on all topologies (standard, SNO, compact). ### **II. Software Test Plan (STP)** @@ -120,10 +119,14 @@ and schedule. - **[P0]** Verify that a cluster administrator can explicitly grant virtualization admin, edit, and view permissions to a user when opt-out is enabled, and the user can perform the corresponding actions - **[P0]** Verify a cluster administrator can disable role aggregation opt-out and default automatic access is restored - **[P0]** Verify default behavior (role aggregation enabled) remains unchanged when the feature is not configured -- **[P0]** Verify default behavior is preserved across OpenShift Virtualization z-stream upgrades - **[P1]** Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it - **[P1]** Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's virtualization access +**Regression Goals** + +- **[P0]** Verify default behavior is preserved across OpenShift Virtualization z-stream upgrades — sig-iuo upgrade regression suites run on the feature cluster +- **[P0]** Verify existing RBAC and migration functionality is not broken by the new feature — sig-iuo regression suites (including RBAC hardening and migration rights tests) run on the feature cluster + **Out of Scope (Testing Scope Exclusions)** The following items are explicitly Out of Scope for this test cycle and represent intentional From 0082bcff4714ea6928ee4636e3b7b53710347870 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 21 Apr 2026 13:55:28 -0400 Subject: [PATCH 11/21] reworded several sections for clarity, removed/revised duplicate test goals, criteria, and scenarios Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 51 +++++++------------ 1 file changed, 17 insertions(+), 34 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 97ce7f9..60cf4d8 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -30,20 +30,17 @@ technology, and testability before formal test planning. #### **1. Requirement & User Story Review Checklist** - [x] **Review Requirements** - - *List the key D/S requirements reviewed:* As a cluster-admin I want to decide which users - will have access to the virtualization in the cluster. Not all project-admins should have - this access but only the eligible ones. Per CNV-50792 feature request. + - *List the key D/S requirements reviewed:* Cluster admins can limit the access to virtualization components - [x] **Understand Value and Customer Use Cases** - - *Describe the feature's value to customers:* A cluster-admin wants to control which users - has access to view/create/edit openshift virtualization resources on a given namespace. - Per CNV-50792 feature request. + - *Describe the feature's value to customers:* Organizations running multi-tenant clusters + need to enforce access policies that prevent unauthorized users from consuming + virtualization resources. Without this feature, any project administrator automatically + gains full virtualization access, which violates tenant isolation requirements. - *List the customer use cases identified:* - As a cluster administrator managing a multi-tenant cluster, I want to prevent tenants - from accessing virtualization workloads they are not eligible to use, so that different + from accessing virtualization workloads they are not eligible to use so that different namespaces can enforce different workload entitlements - - As a cluster administrator, I want to require users to request approval before creating - VMs and consuming storage, so that I can control resource usage across namespaces - [x] **Testability** - *Note any requirements that are unclear or untestable:* All requirements are testable @@ -51,13 +48,11 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* - - When opt-out is enabled, a project admin in a namespace receives Forbidden when - attempting virtualization actions - - When opt-out is enabled, explicit role bindings for admin/edit/view grant the - corresponding virtualization access - - When opt-out is disabled (default), all users with project roles retain automatic - access — no change from previous releases - - Configuration changes persist without cluster restart + - When opt-out is enabled, a project admin in a namespace is forbidden from attempting virtualization actions + - When opt-out is enabled, a cluster administrator can grant a user an explicit + role binding (admin, edit, or view) so that user can create, modify, or view + virtual machines and related resources in that namespace + - Configuration changes take effect without cluster restart - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. - [x] **Non-Functional Requirements (NFRs)** @@ -83,9 +78,10 @@ this release. #### **3. Technology and Design Review** - [x] **Developer Handoff/QE Kickoff** - - *Key takeaways and concerns:* The feature is behind a KubeVirt feature-gate. When the - feature is enabled in Openshift, HCO will automatically add the feature-gate. - Implementation details discussed, ready for testing. + - *Key takeaways and concerns:* Testing strategy agreed: tier 1 tests validate configuration behavior, with + reconciliation coverage needed once downstream integration lands. Concern raised that + tier 1 tests are not part of gating jobs — further review needed on test prioritization + for tier 2. - [x] **Technology Challenges** - *List identified challenges:* N/A @@ -117,10 +113,7 @@ and schedule. - **[P0]** Verify that when opt-out is enabled, an unprivileged user with an edit role cannot perform virtualization edit actions (receives Forbidden error) - **[P0]** Verify that when opt-out is enabled, an unprivileged user with a view role cannot perform virtualization view actions (receives Forbidden error) - **[P0]** Verify that a cluster administrator can explicitly grant virtualization admin, edit, and view permissions to a user when opt-out is enabled, and the user can perform the corresponding actions -- **[P0]** Verify a cluster administrator can disable role aggregation opt-out and default automatic access is restored -- **[P0]** Verify default behavior (role aggregation enabled) remains unchanged when the feature is not configured -- **[P1]** Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it -- **[P1]** Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's virtualization access +- **[P0]** Verify that disabling opt-out after it was enabled restores automatic access for users who were previously blocked **Regression Goals** @@ -298,9 +291,6 @@ The following conditions must be met before testing can begin: ### **III. Test Scenarios & Traceability** - **[CNV-63822]** — As a cluster admin, I want to control the role aggregation strategy for virtualization resources - - *Test Scenario:* [Tier 1] Verify default behavior is preserved when role aggregation opt-out is not configured — all users retain automatic access - - *Priority:* P0 - - *Test Scenario:* [Tier 1] Verify default behavior is preserved when aggregation strategy is explicitly set to the default mode - *Priority:* P0 @@ -334,16 +324,9 @@ The following conditions must be met before testing can begin: - *Priority:* P0 - **[CNV-63822]** — As a cluster admin, I want to disable opt-out to restore default behavior - - *Test Scenario:* [Tier 2] Verify opt-out can be disabled and default automatic access is restored for users + - *Test Scenario:* [Tier 2] Verify that disabling opt-out after it was enabled restores automatic access for users who were previously blocked - *Priority:* P0 - - *Test Scenario:* [Tier 2] Verify that toggling opt-out off after it was enabled restores automatic access for users who previously lost it - - *Priority:* P1 - -- **[CNV-63822]** — As a cluster admin, I want revoking a role binding to immediately remove virtualization access - - *Test Scenario:* [Tier 2] Verify that removing an explicit role binding while opt-out is enabled immediately revokes the user's access - - *Priority:* P1 - --- ### **IV. Sign-off and Approval** From 846cb039329de243196643b1a43954ae28d81427 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Wed, 29 Apr 2026 16:21:52 -0400 Subject: [PATCH 12/21] update tier 1 scenarios to match HCO tests, align goals with scenarios, and fix AGENTS.md compliance Co-Authored-By: Claude Opus 4.6 Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 43 ++++++------------- 1 file changed, 14 insertions(+), 29 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 60cf4d8..a095157 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -49,9 +49,6 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* - When opt-out is enabled, a project admin in a namespace is forbidden from attempting virtualization actions - - When opt-out is enabled, a cluster administrator can grant a user an explicit - role binding (admin, edit, or view) so that user can create, modify, or view - virtual machines and related resources in that namespace - Configuration changes take effect without cluster restart - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. @@ -108,11 +105,12 @@ and schedule. **Testing Goals** -- **[P0]** Verify a cluster administrator can enable role aggregation opt-out through the cluster configuration and the setting persists +- **[P0]** Verify a cluster administrator can enable role aggregation opt-out and the setting is applied to the virtualization deployment +- **[P0]** Verify a cluster administrator can switch the aggregation mode and the change propagates to the virtualization deployment +- **[P0]** Verify that removing the aggregation configuration resets the virtualization deployment to its original unconfigured state - **[P0]** Verify that when opt-out is enabled, an unprivileged user with a project admin role cannot perform virtualization admin actions (receives Forbidden error) - **[P0]** Verify that when opt-out is enabled, an unprivileged user with an edit role cannot perform virtualization edit actions (receives Forbidden error) - **[P0]** Verify that when opt-out is enabled, an unprivileged user with a view role cannot perform virtualization view actions (receives Forbidden error) -- **[P0]** Verify that a cluster administrator can explicitly grant virtualization admin, edit, and view permissions to a user when opt-out is enabled, and the user can perform the corresponding actions - **[P0]** Verify that disabling opt-out after it was enabled restores automatic access for users who were previously blocked **Regression Goals** @@ -152,13 +150,13 @@ None — reviewed and confirmed that no test limitations apply for this release. **Functional** - [x] **Functional Testing** — Validates that the feature works according to specified requirements and user stories - - *Details:* Core focus: verify opt-out configuration, RBAC enforcement, explicit grants, and default behavior preservation. + - *Details:* Core focus: verify opt-out configuration, RBAC enforcement, and default behavior preservation. - [x] **Automation Testing** — Confirms test automation plan is in place for CI and regression coverage (all tests are expected to be automated) - *Details:* All tier 1 and tier 2 tests automated; tier 1 validates configuration, tier 2 validates end-to-end user workflows. - [x] **Regression Testing** — Verifies that new changes do not break existing functionality - - *Details:* Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster. Migrate role aggregation is already covered by existing tier 2 regression tests ([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)). + - *Details:* Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster. Migrate role aggregation is already covered by existing tier 2 regression tests ([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)). Verification that virtualization admin, edit, and view roles grant correct permissions is covered by existing upstream tests in KubeVirt ([access_test.go](https://github.com/kubevirt/kubevirt/blob/main/tests/access_test.go)). **Non-Functional** @@ -169,10 +167,10 @@ None — reviewed and confirmed that no test limitations apply for this release. - *Details:* N/A — Kubernetes RBAC scales natively; feature does not introduce new scalability concerns. - [x] **Security Testing** — Verifies security requirements, RBAC, authentication, authorization, and vulnerability scanning - - *Details:* Feature is a security enhancement; tests verify users are correctly blocked and explicit grants work for all 3 role levels. + - *Details:* Feature is a security enhancement; tests verify users are correctly blocked when opt-out is enabled for all 3 role levels. -- [x] **Usability Testing** — Validates user experience and accessibility requirements - - *Details:* UI changes tracked under [CNV-80935](https://issues.redhat.com/browse/CNV-80935); UI team (sig-ui) owns console testing; QE validates config workflow feedback. +- [ ] **Usability Testing** — Validates user experience and accessibility requirements + - *Details:* UI changes tracked under [CNV-80935](https://issues.redhat.com/browse/CNV-80935); UI team (sig-ui) owns console testing for opt-out configuration. - [ ] **Monitoring** — Does the feature require metrics and/or alerts? - *Details:* No new metrics or alerts required; feature uses standard Kubernetes RBAC. @@ -232,8 +230,8 @@ The following conditions must be met before testing can begin: - [ ] Requirements and design documents are **approved and merged** - [ ] Test environment can be **set up and configured** (see Section II.3 - Test Environment) -- [x] KubeVirt PR #16350 **merged** (upstream implementation) -- [x] HCO downstream implementation **complete** (field integrated into HCO CR) +- [x] Upstream implementation **merged** (role aggregation opt-out support) +- [x] Downstream implementation **complete** (configuration field available in cluster settings) - [x] Developer Handoff/QE Kickoff meeting completed #### **5. Risks** @@ -291,19 +289,16 @@ The following conditions must be met before testing can begin: ### **III. Test Scenarios & Traceability** - **[CNV-63822]** — As a cluster admin, I want to control the role aggregation strategy for virtualization resources - - *Test Scenario:* [Tier 1] Verify default behavior is preserved when aggregation strategy is explicitly set to the default mode + - *Test Scenario:* [Tier 1] Verify that enabling opt-out mode applies the setting to the virtualization deployment - *Priority:* P0 - - *Test Scenario:* [Tier 1] Verify that when opt-out mode is enabled, virtualization roles no longer automatically grant access to users + - *Test Scenario:* [Tier 1] Verify that changing the aggregation mode propagates the updated setting to the virtualization deployment - *Priority:* P0 - - *Test Scenario:* [Tier 1] Verify that switching from default to opt-out mode removes previously aggregated access from existing roles + - *Test Scenario:* [Tier 1] Verify that removing the aggregation configuration resets the virtualization deployment to its original state - *Priority:* P0 - **[CNV-63822]** — As a cluster admin, I want to enable opt-out so unprivileged users cannot access virtualization resources - - *Test Scenario:* [Tier 2] Verify opt-out can be enabled via cluster configuration and the setting persists - - *Priority:* P0 - - *Test Scenario:* [Tier 2] Verify an unprivileged user with project admin role cannot perform virtualization admin actions when opt-out is enabled (receives Forbidden error) - *Priority:* P0 @@ -313,18 +308,8 @@ The following conditions must be met before testing can begin: - *Test Scenario:* [Tier 2] Verify an unprivileged user with view role cannot perform virtualization view actions when opt-out is enabled (receives Forbidden error) - *Priority:* P0 -- **[CNV-63822]** — As a cluster admin, I want to explicitly grant virtualization permissions to specific users - - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization admin permissions to a user in a namespace and the user can perform admin actions - - *Priority:* P0 - - - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization edit permissions to a user in a namespace and the user can perform edit actions - - *Priority:* P0 - - - *Test Scenario:* [Tier 2] Verify a cluster admin can grant virtualization view permissions to a user in a namespace and the user can view resources - - *Priority:* P0 - - **[CNV-63822]** — As a cluster admin, I want to disable opt-out to restore default behavior - - *Test Scenario:* [Tier 2] Verify that disabling opt-out after it was enabled restores automatic access for users who were previously blocked + - *Test Scenario:* [Tier 2] Verify that disabling opt-out restores automatic access for previously blocked users - *Priority:* P0 --- From a6b077f7f3e72b057c92c09d575b445e4171a1b2 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 5 May 2026 10:11:08 -0400 Subject: [PATCH 13/21] add feature maturity, broaden acceptance criteria to all roles, and clarify regression goals Co-Authored-By: Claude Opus 4.6 Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index a095157..253b5a5 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -7,6 +7,10 @@ - **Enhancement(s):** [Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160) - **Feature Tracking:** [CNV-50792](https://issues.redhat.com/browse/CNV-50792) - **Epic Tracking:** [CNV-63822](https://issues.redhat.com/browse/CNV-63822) +- **Feature Maturity:** + - DP: 4.22 + - TP: 4.23/5.0 + - GA: 5.1 - **QE Owner(s):** Ramon Lobillo (@rlobillo), Alex Barker (@albarker-rh) - **Owning SIG:** sig-iuo (Install, Upgrade, Operators) - **Participating SIGs:** sig-ui @@ -48,7 +52,7 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* - - When opt-out is enabled, a project admin in a namespace is forbidden from attempting virtualization actions + - When opt-out is enabled, users with project admin, edit, or view roles in a namespace are forbidden from attempting virtualization actions - Configuration changes take effect without cluster restart - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. @@ -115,8 +119,7 @@ and schedule. **Regression Goals** -- **[P0]** Verify default behavior is preserved across OpenShift Virtualization z-stream upgrades — sig-iuo upgrade regression suites run on the feature cluster -- **[P0]** Verify existing RBAC and migration functionality is not broken by the new feature — sig-iuo regression suites (including RBAC hardening and migration rights tests) run on the feature cluster +- **[P0]** Verify existing RBAC and migration functionality is not broken by the new feature — tier 2 regression suites run on the feature cluster, including [migration rights tests](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) **Out of Scope (Testing Scope Exclusions)** From c3f500b608e8b1c6b4b34f283a77c4945ab4c707 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 5 May 2026 10:13:12 -0400 Subject: [PATCH 14/21] Made customer use cases more concise using wording from @hmeir Co-authored-by: Harel Meir Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 253b5a5..74477da 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -37,14 +37,11 @@ technology, and testability before formal test planning. - *List the key D/S requirements reviewed:* Cluster admins can limit the access to virtualization components - [x] **Understand Value and Customer Use Cases** - - *Describe the feature's value to customers:* Organizations running multi-tenant clusters - need to enforce access policies that prevent unauthorized users from consuming - virtualization resources. Without this feature, any project administrator automatically - gains full virtualization access, which violates tenant isolation requirements. - - *List the customer use cases identified:* - - As a cluster administrator managing a multi-tenant cluster, I want to prevent tenants - from accessing virtualization workloads they are not eligible to use so that different - namespaces can enforce different workload entitlements + - *Describe the feature's value to customers:* Enables tenant isolation by requiring + explicit virtualization access grants instead of automatic role aggregation. + - *List the customer use cases identified:* + - As a cluster administrator, I want to disable automatic virtualization access + so that only explicitly authorized users can consume virtualization resources - [x] **Testability** - *Note any requirements that are unclear or untestable:* All requirements are testable From c2ee21c75e8fd15c7aa3b1277b606d0bebef22c4 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Tue, 5 May 2026 14:10:53 -0400 Subject: [PATCH 15/21] pre-commit changes Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 74477da..b4218fa 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -37,11 +37,11 @@ technology, and testability before formal test planning. - *List the key D/S requirements reviewed:* Cluster admins can limit the access to virtualization components - [x] **Understand Value and Customer Use Cases** - - *Describe the feature's value to customers:* Enables tenant isolation by requiring - explicit virtualization access grants instead of automatic role aggregation. - - *List the customer use cases identified:* - - As a cluster administrator, I want to disable automatic virtualization access - so that only explicitly authorized users can consume virtualization resources + - *Describe the feature's value to customers:* Enables tenant isolation by requiring + explicit virtualization access grants instead of automatic role aggregation. + - *List the customer use cases identified:* + - As a cluster administrator, I want to disable automatic virtualization access + so that only explicitly authorized users can consume virtualization resources - [x] **Testability** - *Note any requirements that are unclear or untestable:* All requirements are testable From ef0ddfaeaa865bea6f28f04deaf46da66d6d679e Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Wed, 6 May 2026 09:49:19 -0400 Subject: [PATCH 16/21] removed an acceptance criteria, condensed kickoff meeting takeaways and regression goals/testing, updated reviewers/approvers Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index b4218fa..294e25e 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -50,7 +50,6 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* - When opt-out is enabled, users with project admin, edit, or view roles in a namespace are forbidden from attempting virtualization actions - - Configuration changes take effect without cluster restart - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. - [x] **Non-Functional Requirements (NFRs)** @@ -76,10 +75,7 @@ this release. #### **3. Technology and Design Review** - [x] **Developer Handoff/QE Kickoff** - - *Key takeaways and concerns:* Testing strategy agreed: tier 1 tests validate configuration behavior, with - reconciliation coverage needed once downstream integration lands. Concern raised that - tier 1 tests are not part of gating jobs — further review needed on test prioritization - for tier 2. + - *Key takeaways and concerns:* We agreed on the testing strategy and configuration requirements. - [x] **Technology Challenges** - *List identified challenges:* N/A @@ -116,7 +112,7 @@ and schedule. **Regression Goals** -- **[P0]** Verify existing RBAC and migration functionality is not broken by the new feature — tier 2 regression suites run on the feature cluster, including [migration rights tests](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py) +- **[P0]** Verify existing RBAC and migration functionality is not broken by the new feature — tier 2 regression suites run on the feature cluster, including migration rights tests **Out of Scope (Testing Scope Exclusions)** @@ -156,7 +152,7 @@ None — reviewed and confirmed that no test limitations apply for this release. - *Details:* All tier 1 and tier 2 tests automated; tier 1 validates configuration, tier 2 validates end-to-end user workflows. - [x] **Regression Testing** — Verifies that new changes do not break existing functionality - - *Details:* Existing RBAC/migration tests provide regression coverage; standard sig-iuo suites run on feature cluster. Migrate role aggregation is already covered by existing tier 2 regression tests ([test_migration_rights.py](https://github.com/RedHatQE/openshift-virtualization-tests/blob/main/tests/virt/cluster/migration_and_maintenance/rbac_hardening/test_migration_rights.py)). Verification that virtualization admin, edit, and view roles grant correct permissions is covered by existing upstream tests in KubeVirt ([access_test.go](https://github.com/kubevirt/kubevirt/blob/main/tests/access_test.go)). + - *Details:* Migrate role aggregation is already covered by existing tier 2 regression tests. **Non-Functional** @@ -320,9 +316,11 @@ This Software Test Plan requires approval from the following stakeholders: * **Reviewers:** - QE Lead / @rnester - - sig-iuo representative / @orenc1 @hmeir @OhadRevah @albarker-rh + - sig-iuo representative / @orenc1 @hmeir @OhadRevah @rlobillo - sig-ui representative / @gouyang * **Approvers:** + - QE Lead / @rnester + - sig-iuo representative / @hmeir - QE Manager / @kmajcher-rh @fabiand - Product Manager / Ronen Sde-Or From e49f61a8eed5262fb6dde0e854370524c65826ed Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Thu, 7 May 2026 09:45:21 -0400 Subject: [PATCH 17/21] Minor wording changes from @orenc Co-authored-by: Oren Cohen Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 294e25e..18d7d5b 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -41,7 +41,7 @@ technology, and testability before formal test planning. explicit virtualization access grants instead of automatic role aggregation. - *List the customer use cases identified:* - As a cluster administrator, I want to disable automatic virtualization access - so that only explicitly authorized users can consume virtualization resources + so that only explicitly authorized users can use and interact with virtualization resources - [x] **Testability** - *Note any requirements that are unclear or untestable:* All requirements are testable @@ -49,7 +49,7 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* - - When opt-out is enabled, users with project admin, edit, or view roles in a namespace are forbidden from attempting virtualization actions + - When opt-out is enabled, users with project admin, edit, or view roles in a namespace are forbidden from performing actions on virtualization resources - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. - [x] **Non-Functional Requirements (NFRs)** From 5d8799500c6dade8fe84cb387dbabaac848e9b1b Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Thu, 7 May 2026 09:49:20 -0400 Subject: [PATCH 18/21] updated docs status Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 18d7d5b..562b024 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -57,7 +57,7 @@ technology, and testability before formal test planning. - Security: RBAC hardening — users blocked without explicit grant - Backward Compatibility: default unchanged - UI: console changes tracked under CNV-80935 - - Docs: user-facing documentation required + - Docs: upstream docs available; downstream docs planned for 4.22 - *Note any NFRs not covered and why:* - Performance: N/A — negligible RBAC overhead - Monitoring: N/A — no new metrics/alerts, uses standard Kubernetes RBAC From d8de47c8f346dec3711ab3b44434e9f69aac4b26 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Mon, 11 May 2026 09:28:37 -0400 Subject: [PATCH 19/21] added feature overview phase, added acceptance criteria, made n/a risks more concise, updated approvers Signed-off-by: albarker-rh --- .../CNV-63822-role-aggregation-opt-out.md | 28 +++++++------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 562b024..14cbb7d 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -22,7 +22,8 @@ By default, all project administrators, editors, and viewers automatically receive access to OpenShift Virtualization resources. Role Aggregation Opt-Out allows cluster administrators to disable this automatic access and instead grant virtualization permissions explicitly per user -and namespace, enabling fine-grained control in multi-tenant environments. +and namespace, enabling fine-grained control in multi-tenant environments. +This STP covers testing for the Tech Preview phase (4.23/5.0). --- @@ -49,7 +50,9 @@ technology, and testability before formal test planning. - [x] **Acceptance Criteria** - *List the acceptance criteria:* + - A cluster administrator can control the role aggregation strategy and any change to the setting takes effect on the virtualization deployment - When opt-out is enabled, users with project admin, edit, or view roles in a namespace are forbidden from performing actions on virtualization resources + - When opt-out is disabled after being enabled, automatic access is restored for users who were previously blocked - *Note any gaps or missing criteria:* None. Defined in CNV-63822 epic. - [x] **Non-Functional Requirements (NFRs)** @@ -234,10 +237,8 @@ The following conditions must be met before testing can begin: **Timeline/Schedule** -- **Risk:** N/A — feature implementation is complete (upstream and downstream). - - **Mitigation:** N/A - - *Estimated impact on schedule:* None - - *Sign-off:* [Name/Date — TBD] +- **Risk:** N/A + - **Mitigation:** Feature implementation is complete upstream and downstream; no schedule risk. **Test Coverage** @@ -248,10 +249,8 @@ The following conditions must be met before testing can begin: **Test Environment** -- **Risk:** N/A — standard OCP cluster with HTPasswd IdP is sufficient; no special hardware required. - - **Mitigation:** N/A - - *Missing resources or infrastructure:* None - - *Sign-off:* [Name/Date — TBD] +- **Risk:** N/A + - **Mitigation:** Standard OCP cluster with HTPasswd IdP is sufficient; no special hardware or infrastructure required. **Untestable Aspects** @@ -262,10 +261,8 @@ The following conditions must be met before testing can begin: **Resource Constraints** -- **Risk:** N/A — no staffing or capacity constraints; feature testing scope is manageable with assigned QE resources. - - **Mitigation:** N/A - - *Current capacity gaps:* None - - *Sign-off:* [Name/Date — TBD] +- **Risk:** N/A + - **Mitigation:** Feature testing scope is manageable with assigned QE resources; no staffing or capacity constraints. **Dependencies** @@ -274,11 +271,6 @@ The following conditions must be met before testing can begin: - *Dependent teams or components:* sig-ui — console configuration interface for opt-out - *Sign-off:* [Name/Date — TBD] -**Other** - -- **Risk:** N/A — no additional risks identified. - - **Mitigation:** N/A - - *Sign-off:* [Name/Date — TBD] --- From 80f1c644b1ffea8d78a41cff5895b0c655dd4b3e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 13:28:51 +0000 Subject: [PATCH 20/21] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 14cbb7d..b2ba561 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -22,7 +22,7 @@ By default, all project administrators, editors, and viewers automatically receive access to OpenShift Virtualization resources. Role Aggregation Opt-Out allows cluster administrators to disable this automatic access and instead grant virtualization permissions explicitly per user -and namespace, enabling fine-grained control in multi-tenant environments. +and namespace, enabling fine-grained control in multi-tenant environments. This STP covers testing for the Tech Preview phase (4.23/5.0). --- From ee5e63d1c5fc8a8526bba6cd2bff12db4b2d0d41 Mon Sep 17 00:00:00 2001 From: albarker-rh Date: Mon, 11 May 2026 13:38:21 -0400 Subject: [PATCH 21/21] updated ui representative Signed-off-by: albarker-rh --- stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md index 14cbb7d..c326603 100644 --- a/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md +++ b/stps/sig-iuo/CNV-63822-role-aggregation-opt-out.md @@ -309,10 +309,10 @@ This Software Test Plan requires approval from the following stakeholders: * **Reviewers:** - QE Lead / @rnester - sig-iuo representative / @orenc1 @hmeir @OhadRevah @rlobillo - - sig-ui representative / @gouyang + - sig-ui representative / @upalatucci * **Approvers:** - - QE Lead / @rnester + - QE Lead / @rnetser - sig-iuo representative / @hmeir - - QE Manager / @kmajcher-rh @fabiand - - Product Manager / Ronen Sde-Or + - QE Manager / @kmajcher-rh + - Product Manager / Ronen Sde-Or @ronensdeor