From ac19371ef86ec3044e2d52895f28d29e42b6ab8b Mon Sep 17 00:00:00 2001
From: Pavel Tishkov <pavel.tishkov@flant.com>
Date: Sat, 20 Jun 2026 21:37:03 +0300
Subject: [PATCH] chore(module): allow ClusterAdmin to read internal
 virtualization resources

Add get/list/watch on internal.virtualization.deckhouse.io
(internalvirtualizationkubevirts, virtualmachines, virtualmachineinstances,
virtualmachineinstancemigrations) and cdi.internal.virtualization.deckhouse.io
(internalvirtualizationdatavolumes) to d8:user-authz:virtualization:cluster-admin.

These resources are already read by module controllers and the collectdebuginfo
CLI; exposing them read-only to ClusterAdmin aids troubleshooting.
---
 templates/user-authz-cluster-roles.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/templates/user-authz-cluster-roles.yaml b/templates/user-authz-cluster-roles.yaml
index 4ed0300901..6460800b4a 100644
--- a/templates/user-authz-cluster-roles.yaml
+++ b/templates/user-authz-cluster-roles.yaml
@@ -154,3 +154,22 @@ rules:
   - deletecollection
   - patch
   - update
+- apiGroups:
+  - internal.virtualization.deckhouse.io
+  resources:
+  - internalvirtualizationkubevirts
+  - internalvirtualizationvirtualmachines
+  - internalvirtualizationvirtualmachineinstances
+  - internalvirtualizationvirtualmachineinstancemigrations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cdi.internal.virtualization.deckhouse.io
+  resources:
+  - internalvirtualizationdatavolumes
+  verbs:
+  - get
+  - list
+  - watch