From 93ab506a765edf512270b3e6fed6faac8448c60a Mon Sep 17 00:00:00 2001
From: Matteo <mdallagl@redhat.com>
Date: Mon, 27 Oct 2025 14:27:37 +0100
Subject: [PATCH 1/2] rbac: Add network resources to cluster-reader role

Add read permissions (i.e. get, list, watch) for network-related resources to the
cluster-reader ClusterRole aggregation. The resources are:
- egressrouters.network.operator.openshift.io
- network-attachment-definitions.k8s.cni.cncf.io
- networks.operator.openshift.io

Fixes: OCPBUGS-35387
---
 .../common/007-rbac-cluster-reader.yaml       | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
index 51cefe3a2c..4c9fa77cf6 100644
--- a/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
+++ b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
@@ -37,3 +37,24 @@ rules:
   - get
   - list
   - watch
+- apiGroups: ["network.operator.openshift.io"]
+  resources:
+  - egressrouters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["operator.openshift.io"]
+  resources:
+  - networks
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["k8s.cni.cncf.io"]
+  resources:
+  - network-attachment-definitions
+  verbs:
+  - get
+  - list
+  - watch

From a981f1512f876df52b7a071a5ae649a997ddc819 Mon Sep 17 00:00:00 2001
From: Matteo Dallaglio <mdallagl@redhat.com>
Date: Mon, 17 Nov 2025 16:37:21 +0100
Subject: [PATCH 2/2] rbac: Remove networks.operator.openshift.io from
 cluster-reader role

Remove networks.operator.openshift.io resources from the cluster-reader
ClusterRole aggregation to maintain consistency with the platform-wide
architectural pattern.

After investigation, no operator.openshift.io resources are currently
exposed to cluster-reader across any OpenShift operators. The consistent
pattern is:
- config.openshift.io resources ARE exposed (user-facing configuration)
- operator.openshift.io resources are NOT exposed (implementation details)

While the Network resource doesn't contain sensitive data, exposing it
would make CNO the first and only exception to this pattern. The team
decided to preserve architectural consistency rather than break this
established pattern.

Related: OCPBUGS-35387
Signed-off-by: Matteo Dallaglio <mdallagl@redhat.com>
---
 .../ovn-kubernetes/common/007-rbac-cluster-reader.yaml     | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
index 4c9fa77cf6..b4c408101f 100644
--- a/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
+++ b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
@@ -44,13 +44,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups: ["operator.openshift.io"]
-  resources:
-  - networks
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups: ["k8s.cni.cncf.io"]
   resources:
   - network-attachment-definitions