Accepting request 1072517 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/1072517 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/kubevirt?expand=0&rev=54
2023-03-17 16:04:32 +00:00 · 2023-03-17 16:04:32 +00:00 · 192eb2a311
commit 192eb2a311
parent 84ea42e96e fdbec51544
3 changed files with 813 additions and 1 deletions
--- a/0001-Vulnerability-fix-limit-operator-secrets-permission.patch
+++ b/0001-Vulnerability-fix-limit-operator-secrets-permission.patch
@ -0,0 +1,805 @@
+From b53906b1295910964ba4b3b1b5a2d3668307f79c Mon Sep 17 00:00:00 2001
+From: Kyle Lane <kylelane@google.com>
+Date: Fri, 3 Feb 2023 00:49:59 +0000
+Subject: [PATCH] [Vulnerability fix] limit operator secrets permission
+
+Also change structure to hold service account names in resource/generate/components due to circular dependancy.
+
+Change-Id: I01c2619a9705b3c3f144d1d8567687df011d00fa
+Signed-off-by: Kyle Lane kylelane@google.com
+---
+ manifests/generated/operator-csv.yaml.in      |  9 +++++
+ .../rbac-operator.authorization.k8s.yaml.in   |  9 +++++
+ pkg/virt-api/webhooks/BUILD.bazel             |  2 +-
+ .../mutating-webhook/mutators/BUILD.bazel     |  2 +-
+ .../mutators/vmi-mutator_test.go              |  4 +-
+ pkg/virt-api/webhooks/utils.go                |  8 ++--
+ .../validating-webhook/admitters/BUILD.bazel  |  2 +-
+ .../admitters/vmi-create-admitter_test.go     |  9 ++---
+ .../admitters/vmi-update-admitter_test.go     | 10 ++---
+ .../resource/generate/components/BUILD.bazel  |  2 +-
+ .../generate/components/daemonsets.go         |  3 +-
+ .../generate/components/deployments.go        |  7 ++--
+ .../components/serviceaccountnames.go         |  9 +++++
+ .../resource/generate/rbac/BUILD.bazel        |  2 +
+ .../resource/generate/rbac/apiserver.go       | 24 ++++++------
+ .../resource/generate/rbac/controller.go      | 22 +++++------
+ .../resource/generate/rbac/handler.go         | 22 +++++------
+ .../resource/generate/rbac/operator.go        | 37 ++++++++++++-------
+ .../resource/generate/rbac/operator_test.go   | 10 +++--
+ 19 files changed, 116 insertions(+), 77 deletions(-)
+ create mode 100644 pkg/virt-operator/resource/generate/components/serviceaccountnames.go
+
+diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
+index 8c84822e0..53d2c30e5 100644
+--- a/manifests/generated/operator-csv.yaml.in
+++ b/manifests/generated/operator-csv.yaml.in
+@@ -1275,6 +1275,15 @@ spec:
+       - rules:
+         - apiGroups:
+           - ""
+          resourceNames:
+          - kubevirt-ca
+          - kubevirt-export-ca
+          - kubevirt-virt-handler-certs
+          - kubevirt-virt-handler-server-certs
+          - kubevirt-operator-certs
+          - kubevirt-virt-api-certs
+          - kubevirt-controller-certs
+          - kubevirt-exportproxy-certs
+           resources:
+           - secrets
+           verbs:
+diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
+index 71605ecda..254a1a977 100644
+--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in
+++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
+@@ -17,6 +17,15 @@ metadata:
+ rules:
+ - apiGroups:
+   - ""
+  resourceNames:
+  - kubevirt-ca
+  - kubevirt-export-ca
+  - kubevirt-virt-handler-certs
+  - kubevirt-virt-handler-server-certs
+  - kubevirt-operator-certs
+  - kubevirt-virt-api-certs
+  - kubevirt-controller-certs
+  - kubevirt-exportproxy-certs
+   resources:
+   - secrets
+   verbs:
+diff --git a/pkg/virt-api/webhooks/BUILD.bazel b/pkg/virt-api/webhooks/BUILD.bazel
+index abe364190..1ea095692 100644
+--- a/pkg/virt-api/webhooks/BUILD.bazel
+++ b/pkg/virt-api/webhooks/BUILD.bazel
+@@ -15,7 +15,7 @@ go_library(
+         "//pkg/util:go_default_library",
+         "//pkg/virt-config:go_default_library",
+         "//pkg/virt-handler/node-labeller/util:go_default_library",
+-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
+        "//pkg/virt-operator/resource/generate/components:go_default_library",
+         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
+         "//staging/src/kubevirt.io/api/pool/v1alpha1:go_default_library",
+         "//staging/src/kubevirt.io/client-go/log:go_default_library",
+diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
+index e956bf21e..5e03b0d9d 100644
+--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/BUILD.bazel
+@@ -55,7 +55,7 @@ go_test(
+         "//pkg/virt-api/webhooks:go_default_library",
+         "//pkg/virt-config:go_default_library",
+         "//pkg/virt-handler/node-labeller/util:go_default_library",
+-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
+        "//pkg/virt-operator/resource/generate/components:go_default_library",
+         "//staging/src/kubevirt.io/api/clone:go_default_library",
+         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
+         "//staging/src/kubevirt.io/api/core:go_default_library",
+diff --git a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
+index 025bf368a..f156eca9a 100644
+--- a/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
+++ b/pkg/virt-api/webhooks/mutating-webhook/mutators/vmi-mutator_test.go
+@@ -46,10 +46,10 @@ import (
+ 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
+ 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
+ 	nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ )
+ 
+-var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", rbac.ControllerServiceAccountName)
+var privilegedUser = fmt.Sprintf("%s:%s:%s:%s", "system", "serviceaccount", "kubevirt", components.ControllerServiceAccountName)
+ 
+ var _ = Describe("VirtualMachineInstance Mutator", func() {
+ 	var vmi *v1.VirtualMachineInstance
+diff --git a/pkg/virt-api/webhooks/utils.go b/pkg/virt-api/webhooks/utils.go
+index 816a6beb3..653d41012 100644
+--- a/pkg/virt-api/webhooks/utils.go
+++ b/pkg/virt-api/webhooks/utils.go
+@@ -29,7 +29,7 @@ import (
+ 	poolv1 "kubevirt.io/api/pool/v1alpha1"
+ 	"kubevirt.io/client-go/log"
+ 
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ 
+ 	v1 "kubevirt.io/api/core/v1"
+ 	clientutil "kubevirt.io/client-go/util"
+@@ -89,9 +89,9 @@ func IsKubeVirtServiceAccount(serviceAccount string) bool {
+ 	}
+ 
+ 	prefix := fmt.Sprintf("system:serviceaccount:%s", ns)
+-	return serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ApiServiceAccountName) ||
+-		serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.HandlerServiceAccountName) ||
+-		serviceAccount == fmt.Sprintf("%s:%s", prefix, rbac.ControllerServiceAccountName)
+	return serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ApiServiceAccountName) ||
+		serviceAccount == fmt.Sprintf("%s:%s", prefix, components.HandlerServiceAccountName) ||
+		serviceAccount == fmt.Sprintf("%s:%s", prefix, components.ControllerServiceAccountName)
+ }
+ 
+ func IsARM64() bool {
+diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
+index 03a74eb2f..65da66d1c 100644
+--- a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
+@@ -99,7 +99,7 @@ go_test(
+         "//pkg/virt-api/webhooks:go_default_library",
+         "//pkg/virt-config:go_default_library",
+         "//pkg/virt-handler/node-labeller/util:go_default_library",
+-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
+        "//pkg/virt-operator/resource/generate/components:go_default_library",
+         "//staging/src/kubevirt.io/api/clone:go_default_library",
+         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
+         "//staging/src/kubevirt.io/api/core:go_default_library",
+diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
+index 685ddf5fc..51dda99f5 100644
+--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
+@@ -27,8 +27,6 @@ import (
+ 
+ 	"kubevirt.io/client-go/api"
+ 
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+-
+ 	. "github.com/onsi/ginkgo/v2"
+ 	. "github.com/onsi/gomega"
+ 	admissionv1 "k8s.io/api/admission/v1"
+@@ -49,6 +47,7 @@ import (
+ 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
+ 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
+ 	nodelabellerutil "kubevirt.io/kubevirt/pkg/virt-handler/node-labeller/util"
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ )
+ 
+ var _ = Describe("Validating VMICreate Admitter", func() {
+@@ -424,17 +423,17 @@ var _ = Describe("Validating VMICreate Admitter", func() {
+ 			},
+ 			Entry("Create restricted label by API",
+ 				map[string]string{v1.NodeNameLabel: "someValue"},
+-				rbac.ApiServiceAccountName,
+				components.ApiServiceAccountName,
+ 				true,
+ 			),
+ 			Entry("Create restricted label by Handler",
+ 				map[string]string{v1.NodeNameLabel: "someValue"},
+-				rbac.HandlerServiceAccountName,
+				components.HandlerServiceAccountName,
+ 				true,
+ 			),
+ 			Entry("Create restricted label by Controller",
+ 				map[string]string{v1.NodeNameLabel: "someValue"},
+-				rbac.ControllerServiceAccountName,
+				components.ControllerServiceAccountName,
+ 				true,
+ 			),
+ 			Entry("Create restricted label by non kubevirt user",
+diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
+index 83a9d0390..a9f7af477 100644
+--- a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
+++ b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-update-admitter_test.go
+@@ -39,7 +39,7 @@ import (
+ 	"kubevirt.io/kubevirt/pkg/testutils"
+ 	webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks"
+ 	"kubevirt.io/kubevirt/pkg/virt-api/webhooks"
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ )
+ 
+ var _ = Describe("Validating VMIUpdate Admitter", func() {
+@@ -190,17 +190,17 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
+ 		Entry("Update by API",
+ 			map[string]string{v1.NodeNameLabel: "someValue"},
+ 			map[string]string{v1.NodeNameLabel: "someNewValue"},
+-			rbac.ApiServiceAccountName,
+			components.ApiServiceAccountName,
+ 		),
+ 		Entry("Update by Handler",
+ 			map[string]string{v1.NodeNameLabel: "someValue"},
+ 			map[string]string{v1.NodeNameLabel: "someNewValue"},
+-			rbac.HandlerServiceAccountName,
+			components.HandlerServiceAccountName,
+ 		),
+ 		Entry("Update by Controller",
+ 			map[string]string{v1.NodeNameLabel: "someValue"},
+ 			map[string]string{v1.NodeNameLabel: "someNewValue"},
+-			rbac.ControllerServiceAccountName,
+			components.ControllerServiceAccountName,
+ 		),
+ 	)
+ 
+@@ -560,7 +560,7 @@ var _ = Describe("Validating VMIUpdate Admitter", func() {
+ 		resp := vmiUpdateAdmitter.Admit(ar)
+ 		Expect(resp.Allowed).To(expected)
+ 	},
+-		Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+rbac.ApiServiceAccountName, BeTrue()),
+		Entry("Should admit internal sa", "system:serviceaccount:kubevirt:"+components.ApiServiceAccountName, BeTrue()),
+ 		Entry("Should reject regular user", "system:serviceaccount:someNamespace:someUser", BeFalse()),
+ 	)
+ })
+diff --git a/pkg/virt-operator/resource/generate/components/BUILD.bazel b/pkg/virt-operator/resource/generate/components/BUILD.bazel
+index 583b63a04..22e1524c3 100644
+--- a/pkg/virt-operator/resource/generate/components/BUILD.bazel
+++ b/pkg/virt-operator/resource/generate/components/BUILD.bazel
+@@ -11,6 +11,7 @@ go_library(
+         "routes.go",
+         "scc.go",
+         "secrets.go",
+        "serviceaccountnames.go",
+         "validations_generated.go",
+         "webhooks.go",
+     ],
+@@ -21,7 +22,6 @@ go_library(
+         "//pkg/certificates/triple:go_default_library",
+         "//pkg/certificates/triple/cert:go_default_library",
+         "//pkg/virt-config:go_default_library",
+-        "//pkg/virt-operator/resource/generate/rbac:go_default_library",
+         "//pkg/virt-operator/util:go_default_library",
+         "//staging/src/kubevirt.io/api/clone:go_default_library",
+         "//staging/src/kubevirt.io/api/clone/v1alpha1:go_default_library",
+diff --git a/pkg/virt-operator/resource/generate/components/daemonsets.go b/pkg/virt-operator/resource/generate/components/daemonsets.go
+index 7524f7487..4717e4bec 100644
+--- a/pkg/virt-operator/resource/generate/components/daemonsets.go
+++ b/pkg/virt-operator/resource/generate/components/daemonsets.go
+@@ -13,7 +13,6 @@ import (
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 
+ 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+ 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
+ )
+ 
+@@ -81,7 +80,7 @@ func NewHandlerDaemonSet(namespace, repository, imagePrefix, version, launcherVe
+ 	}
+ 
+ 	pod := &daemonset.Spec.Template.Spec
+-	pod.ServiceAccountName = rbac.HandlerServiceAccountName
+	pod.ServiceAccountName = HandlerServiceAccountName
+ 	pod.HostPID = true
+ 
+ 	// nodelabeller currently only support x86
+diff --git a/pkg/virt-operator/resource/generate/components/deployments.go b/pkg/virt-operator/resource/generate/components/deployments.go
+index 9d5666def..8a900e7f0 100644
+--- a/pkg/virt-operator/resource/generate/components/deployments.go
+++ b/pkg/virt-operator/resource/generate/components/deployments.go
+@@ -35,7 +35,6 @@ import (
+ 
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 
+-	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac"
+ 	operatorutil "kubevirt.io/kubevirt/pkg/virt-operator/util"
+ )
+ 
+@@ -326,7 +325,7 @@ func NewApiServerDeployment(namespace, repository, imagePrefix, version, product
+ 	attachProfileVolume(&deployment.Spec.Template.Spec)
+ 
+ 	pod := &deployment.Spec.Template.Spec
+-	pod.ServiceAccountName = rbac.ApiServiceAccountName
+	pod.ServiceAccountName = ApiServiceAccountName
+ 	pod.SecurityContext = &corev1.PodSecurityContext{
+ 		RunAsNonRoot:   boolPtr(true),
+ 		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+@@ -407,7 +406,7 @@ func NewControllerDeployment(namespace, repository, imagePrefix, controllerVersi
+ 	}
+ 
+ 	pod := &deployment.Spec.Template.Spec
+-	pod.ServiceAccountName = rbac.ControllerServiceAccountName
+	pod.ServiceAccountName = ControllerServiceAccountName
+ 	pod.SecurityContext = &corev1.PodSecurityContext{
+ 		RunAsNonRoot:   boolPtr(true),
+ 		SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+@@ -645,7 +644,7 @@ func NewExportProxyDeployment(namespace, repository, imagePrefix, version, produ
+ 	attachProfileVolume(&deployment.Spec.Template.Spec)
+ 
+ 	pod := &deployment.Spec.Template.Spec
+-	pod.ServiceAccountName = rbac.ExportProxyServiceAccountName
+	pod.ServiceAccountName = ExportProxyServiceAccountName
+ 	pod.SecurityContext = &corev1.PodSecurityContext{
+ 		RunAsNonRoot: boolPtr(true),
+ 	}
+diff --git a/pkg/virt-operator/resource/generate/components/serviceaccountnames.go b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
+new file mode 100644
+index 000000000..0948629bb
+--- /dev/null
+++ b/pkg/virt-operator/resource/generate/components/serviceaccountnames.go
+@@ -0,0 +1,9 @@
+package components
+
+const (
+	ApiServiceAccountName         = "kubevirt-apiserver"
+	ControllerServiceAccountName  = "kubevirt-controller"
+	ExportProxyServiceAccountName = "kubevirt-exportproxy"
+	HandlerServiceAccountName     = "kubevirt-handler"
+	OperatorServiceAccountName    = "kubevirt-operator"
+)
+diff --git a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
+index fb3952f7b..8de09055f 100644
+--- a/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
+++ b/pkg/virt-operator/resource/generate/rbac/BUILD.bazel
+@@ -14,6 +14,7 @@ go_library(
+     importpath = "kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/rbac",
+     visibility = ["//visibility:public"],
+     deps = [
+        "//pkg/virt-operator/resource/generate/components:go_default_library",
+         "//staging/src/kubevirt.io/api/clone:go_default_library",
+         "//staging/src/kubevirt.io/api/core/v1:go_default_library",
+         "//staging/src/kubevirt.io/api/instancetype:go_default_library",
+@@ -33,6 +34,7 @@ go_test(
+     ],
+     embed = [":go_default_library"],
+     deps = [
+        "//pkg/virt-operator/resource/generate/components:go_default_library",
+         "//staging/src/kubevirt.io/client-go/testutils:go_default_library",
+         "//vendor/github.com/onsi/ginkgo/v2:go_default_library",
+         "//vendor/github.com/onsi/gomega:go_default_library",
+diff --git a/pkg/virt-operator/resource/generate/rbac/apiserver.go b/pkg/virt-operator/resource/generate/rbac/apiserver.go
+index 7263471a6..932f7391e 100644
+--- a/pkg/virt-operator/resource/generate/rbac/apiserver.go
+++ b/pkg/virt-operator/resource/generate/rbac/apiserver.go
+@@ -26,6 +26,8 @@ import (
+ 
+ 	"kubevirt.io/api/instancetype"
+ 
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 	"kubevirt.io/api/migrations"
+ )
+@@ -36,8 +38,6 @@ const (
+ 	GroupName     = "kubevirt.io"
+ )
+ 
+-const ApiServiceAccountName = "kubevirt-apiserver"
+-
+ func GetAllApiServer(namespace string) []runtime.Object {
+ 	return []runtime.Object{
+ 		newApiServerServiceAccount(namespace),
+@@ -57,7 +57,7 @@ func newApiServerServiceAccount(namespace string) *corev1.ServiceAccount {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      ApiServiceAccountName,
+			Name:      components.ApiServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -72,7 +72,7 @@ func newApiServerClusterRole() *rbacv1.ClusterRole {
+ 			Kind:       "ClusterRole",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: ApiServiceAccountName,
+			Name: components.ApiServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -267,7 +267,7 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
+ 			Kind:       "ClusterRoleBinding",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: ApiServiceAccountName,
+			Name: components.ApiServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -275,13 +275,13 @@ func newApiServerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: VersionName,
+ 			Kind:     "ClusterRole",
+-			Name:     ApiServiceAccountName,
+			Name:     components.ApiServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      ApiServiceAccountName,
+				Name:      components.ApiServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -308,7 +308,7 @@ func newApiServerAuthDelegatorClusterRoleBinding(namespace string) *rbacv1.Clust
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      ApiServiceAccountName,
+				Name:      components.ApiServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -322,7 +322,7 @@ func newApiServerRole(namespace string) *rbacv1.Role {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      ApiServiceAccountName,
+			Name:      components.ApiServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -351,7 +351,7 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      ApiServiceAccountName,
+			Name:      components.ApiServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -359,13 +359,13 @@ func newApiServerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: VersionName,
+ 			Kind:     "Role",
+-			Name:     ApiServiceAccountName,
+			Name:     components.ApiServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      ApiServiceAccountName,
+				Name:      components.ApiServiceAccountName,
+ 			},
+ 		},
+ 	}
+diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go
+index 2adb51225..9542a24fe 100644
+--- a/pkg/virt-operator/resource/generate/rbac/controller.go
+++ b/pkg/virt-operator/resource/generate/rbac/controller.go
+@@ -26,14 +26,14 @@ import (
+ 
+ 	"kubevirt.io/api/clone"
+ 
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+
+ 	"kubevirt.io/api/instancetype"
+ 
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 	"kubevirt.io/api/migrations"
+ )
+ 
+-const ControllerServiceAccountName = "kubevirt-controller"
+-
+ func GetAllController(namespace string) []runtime.Object {
+ 	return []runtime.Object{
+ 		newControllerServiceAccount(namespace),
+@@ -52,7 +52,7 @@ func newControllerServiceAccount(namespace string) *corev1.ServiceAccount {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      ControllerServiceAccountName,
+			Name:      components.ControllerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -67,7 +67,7 @@ func newControllerRole(namespace string) *rbacv1.Role {
+ 			Kind:       "Role",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name:      ControllerServiceAccountName,
+			Name:      components.ControllerServiceAccountName,
+ 			Namespace: namespace,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+@@ -124,7 +124,7 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 			Kind:       "RoleBinding",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name:      ControllerServiceAccountName,
+			Name:      components.ControllerServiceAccountName,
+ 			Namespace: namespace,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+@@ -133,13 +133,13 @@ func newControllerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: VersionName,
+ 			Kind:     "Role",
+-			Name:     ControllerServiceAccountName,
+			Name:     components.ControllerServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      ControllerServiceAccountName,
+				Name:      components.ControllerServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -152,7 +152,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole {
+ 			Kind:       "ClusterRole",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: ControllerServiceAccountName,
+			Name: components.ControllerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -515,7 +515,7 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
+ 			Kind:       "ClusterRoleBinding",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: ControllerServiceAccountName,
+			Name: components.ControllerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -523,13 +523,13 @@ func newControllerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBindin
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: "rbac.authorization.k8s.io",
+ 			Kind:     "ClusterRole",
+-			Name:     ControllerServiceAccountName,
+			Name:     components.ControllerServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      ControllerServiceAccountName,
+				Name:      components.ControllerServiceAccountName,
+ 			},
+ 		},
+ 	}
+diff --git a/pkg/virt-operator/resource/generate/rbac/handler.go b/pkg/virt-operator/resource/generate/rbac/handler.go
+index c47adc28a..e55a4044e 100644
+--- a/pkg/virt-operator/resource/generate/rbac/handler.go
+++ b/pkg/virt-operator/resource/generate/rbac/handler.go
+@@ -27,9 +27,9 @@ import (
+ 
+ 	virtv1 "kubevirt.io/api/core/v1"
+ 	"kubevirt.io/api/migrations"
+-)
+ 
+-const HandlerServiceAccountName = "kubevirt-handler"
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+)
+ 
+ func GetAllHandler(namespace string) []runtime.Object {
+ 	return []runtime.Object{
+@@ -49,7 +49,7 @@ func newHandlerServiceAccount(namespace string) *corev1.ServiceAccount {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      HandlerServiceAccountName,
+			Name:      components.HandlerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -64,7 +64,7 @@ func newHandlerClusterRole() *rbacv1.ClusterRole {
+ 			Kind:       "ClusterRole",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: HandlerServiceAccountName,
+			Name: components.HandlerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -167,7 +167,7 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
+ 			Kind:       "ClusterRoleBinding",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: HandlerServiceAccountName,
+			Name: components.HandlerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -175,13 +175,13 @@ func newHandlerClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: "rbac.authorization.k8s.io",
+ 			Kind:     "ClusterRole",
+-			Name:     HandlerServiceAccountName,
+			Name:     components.HandlerServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      HandlerServiceAccountName,
+				Name:      components.HandlerServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -195,7 +195,7 @@ func newHandlerRole(namespace string) *rbacv1.Role {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      HandlerServiceAccountName,
+			Name:      components.HandlerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -224,7 +224,7 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      HandlerServiceAccountName,
+			Name:      components.HandlerServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -232,13 +232,13 @@ func newHandlerRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: "rbac.authorization.k8s.io",
+ 			Kind:     "Role",
+-			Name:     HandlerServiceAccountName,
+			Name:     components.HandlerServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      HandlerServiceAccountName,
+				Name:      components.HandlerServiceAccountName,
+ 			},
+ 		},
+ 	}
+diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
+index 29ec8c85a..f15dfa554 100644
+--- a/pkg/virt-operator/resource/generate/rbac/operator.go
+++ b/pkg/virt-operator/resource/generate/rbac/operator.go
+@@ -26,6 +26,8 @@ import (
+ 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ 
+ 	virtv1 "kubevirt.io/api/core/v1"
+
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ )
+ 
+ const (
+@@ -33,7 +35,6 @@ const (
+ 	GroupNameRoute    = "route.openshift.io"
+ 	serviceAccountFmt = "%s:%s:%s"
+ )
+-const OperatorServiceAccountName = "kubevirt-operator"
+ 
+ // Used for manifest generation only, not by the operator itself
+ func GetAllOperator(namespace string) []interface{} {
+@@ -54,7 +55,7 @@ func newOperatorServiceAccount(namespace string) *corev1.ServiceAccount {
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Namespace: namespace,
+-			Name:      OperatorServiceAccountName,
+			Name:      components.OperatorServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -74,7 +75,7 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
+ 			Kind:       "ClusterRole",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: OperatorServiceAccountName,
+			Name: components.OperatorServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -396,7 +397,7 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
+ 			Kind:       "ClusterRoleBinding",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name: OperatorServiceAccountName,
+			Name: components.OperatorServiceAccountName,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+ 			},
+@@ -404,13 +405,13 @@ func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: VersionName,
+ 			Kind:     "ClusterRole",
+-			Name:     OperatorServiceAccountName,
+			Name:     components.OperatorServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      OperatorServiceAccountName,
+				Name:      components.OperatorServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -432,13 +433,13 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
+ 		RoleRef: rbacv1.RoleRef{
+ 			APIGroup: VersionName,
+ 			Kind:     "Role",
+-			Name:     OperatorServiceAccountName,
+			Name:     components.OperatorServiceAccountName,
+ 		},
+ 		Subjects: []rbacv1.Subject{
+ 			{
+ 				Kind:      "ServiceAccount",
+ 				Namespace: namespace,
+-				Name:      OperatorServiceAccountName,
+				Name:      components.OperatorServiceAccountName,
+ 			},
+ 		},
+ 	}
+@@ -452,7 +453,7 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
+ 			Kind:       "Role",
+ 		},
+ 		ObjectMeta: metav1.ObjectMeta{
+-			Name:      OperatorServiceAccountName,
+			Name:      components.OperatorServiceAccountName,
+ 			Namespace: namespace,
+ 			Labels: map[string]string{
+ 				virtv1.AppLabel: "",
+@@ -466,6 +467,16 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
+ 				Resources: []string{
+ 					"secrets",
+ 				},
+				ResourceNames: []string{
+					components.KubeVirtCASecretName,
+					components.KubeVirtExportCASecretName,
+					components.VirtHandlerCertSecretName,
+					components.VirtHandlerServerCertSecretName,
+					components.VirtOperatorCertSecretName,
+					components.VirtApiCertSecretName,
+					components.VirtControllerCertSecretName,
+					components.VirtExportProxyCertSecretName,
+				},
+ 				Verbs: []string{
+ 					"create",
+ 					"get",
+@@ -526,10 +537,10 @@ func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {
+ 	usermap := make(map[string]bool)
+ 
+ 	prefix := "system:serviceaccount"
+-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, HandlerServiceAccountName)] = true
+-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ApiServiceAccountName)] = true
+-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, ControllerServiceAccountName)] = true
+-	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, OperatorServiceAccountName)] = true
+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.HandlerServiceAccountName)] = true
+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ApiServiceAccountName)] = true
+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.ControllerServiceAccountName)] = true
+	usermap[fmt.Sprintf(serviceAccountFmt, prefix, namespace, components.OperatorServiceAccountName)] = true
+ 
+ 	return usermap
+ }
+diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go
+index 701a8c4f5..51bd479cc 100644
+--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go
+++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go
+@@ -26,6 +26,8 @@ import (
+ 	. "github.com/onsi/gomega"
+ 	v1 "k8s.io/api/core/v1"
+ 	rbacv1 "k8s.io/api/rbac/v1"
+
+	"kubevirt.io/kubevirt/pkg/virt-operator/resource/generate/components"
+ )
+ 
+ var _ = Describe("RBAC", func() {
+@@ -75,10 +77,10 @@ var _ = Describe("RBAC", func() {
+ 			func(name string) {
+ 				Expect(serviceAccounts).To(HaveKey(MatchRegexp(fmt.Sprintf(".*%s.*", name))))
+ 			},
+-			Entry("for Handler", HandlerServiceAccountName),
+-			Entry("for Api", ApiServiceAccountName),
+-			Entry("for Controller", ControllerServiceAccountName),
+-			Entry("for Operator", OperatorServiceAccountName),
+			Entry("for Handler", components.HandlerServiceAccountName),
+			Entry("for Api", components.ApiServiceAccountName),
+			Entry("for Controller", components.ControllerServiceAccountName),
+			Entry("for Operator", components.OperatorServiceAccountName),
+ 		)
+ 
+ 	})
+-- 
+2.39.2
+
--- a/kubevirt.changes
+++ b/kubevirt.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar 16 09:13:41 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>
+
+- Limit operator secrets permission (CVE-2023-26484, bsc#1209359)
+  0001-Vulnerability-fix-limit-operator-secrets-permission.patch
+
 -------------------------------------------------------------------
 Thu Mar  2 07:12:05 UTC 2023 - Vasily Ulyanov <vasily.ulyanov@suse.com>

--- a/kubevirt.spec
+++ b/kubevirt.spec
@ -28,12 +28,13 @@ Source1:        kubevirt_containers_meta
 Source2:        kubevirt_containers_meta.service
 Source3:        %{url}/releases/download/v%{version}/disks-images-provider.yaml
 Source100:      %{name}-rpmlintrc
+Patch0:         0001-Vulnerability-fix-limit-operator-secrets-permission.patch
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
 BuildRequires:  rsync
 BuildRequires:  sed
-BuildRequires:  golang(API) = 1.19
+BuildRequires:  golang(API) >= 1.19
 BuildRequires:  pkgconfig(libvirt)
 ExclusiveArch:  x86_64 aarch64