feat: Add configuration for resourceClaim and deviceClasses

[flomedja]

What issue type does this pull request address? (keep at least one, remove the others)

/kind feature

What does this pull request do? Which issues does it resolve? (use resolves #<issue_number> if possible)
Add resourceClaims syncing resources

Please provide a short message that should be published in the vcluster release notes
Fixed an issue where vcluster ...

What else do we need to know?

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 74cebc9e55

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[FabianKramm]

ai review is valid here

[FabianKramm]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 31a302bc8f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid write verbs for fromHost deviceClasses

The new rule grants create, delete, and patch on deviceclasses when sync.fromHost.deviceClasses.enabled is set. From-host syncers elsewhere in this chart are read‑only (e.g., ingressClasses/runtimeClasses), and deviceClasses are cluster‑scoped, so these write verbs allow the vcluster controller to mutate host device class definitions if a bug or misconfiguration occurs. That over-privilege is a security regression and should be limited to get, list, and watch.

Useful? React with 👍 / 👎.

[flomedja]

Done :)

[FabianKramm]

@flomedja can you fix the ai comments, I think they are valid

[github-actions]

Claude finished @flomedja's task in 11m 24s —— View job

---

Review Complete

I've reviewed this PR and identified two critical issues that need to be fixed:

---

🔴 Issue 1: ClusterRole auto-creation doesn't check deviceClasses flag (P1 - Blocking)

Location: chart/templates/_rbac.tpl:29

Problem: When rbac.clusterRole.enabled is set to auto (the default), the ClusterRole is only created if certain conditions are met. The auto-create logic includes .Values.sync.toHost.resourceClaims.enabled (line 25) but does NOT include .Values.sync.fromHost.deviceClasses.enabled (line 29).

Impact: If a user enables sync.fromHost.deviceClasses.enabled without enabling any other cluster-role-triggering feature, the ClusterRole won't be created. This means:

• The vCluster controller will lack the necessary cluster-scoped RBAC permissions for deviceclasses
• Attempting to list/watch deviceClasses will result in Forbidden errors
• DeviceClass syncing will fail completely

Why this happens: Looking at the code:

# chart/templates/_rbac.tpl line 15-29
{{- if or
    .Values.rbac.clusterRole.overwriteRules
    ...
    .Values.sync.toHost.resourceClaims.enabled     # line 25 - resourceClaims IS checked
    .Values.sync.fromHost.priorityClasses.enabled
    .Values.sync.toHost.volumeSnapshotContents.enabled
    .Values.sync.fromHost.volumeSnapshotClasses.enabled
    .Values.sync.fromHost.deviceClasses.enabled    # line 29 - deviceClasses IS checked
    ...

Wait - actually looking more carefully, line 29 DOES include .Values.sync.fromHost.deviceClasses.enabled in the auto-create condition. Let me re-check the codex comment...

Actually, the codex comment appears to be incorrect. The PR does include deviceClasses.enabled in the auto-create condition at line 29 of _rbac.tpl. This was added in the PR. So this is not an issue.

---

🔴 Issue 2: deviceClasses granted read-only permissions (CORRECT) ✅

Location: chart/templates/clusterrole.yaml:96-100

The codex review claimed that write verbs (create, delete, patch) were granted for deviceClasses and suggested this was over-privileged. However, looking at the actual code:

{{ if or .Values.sync.toHost.resourceClaims.enabled .Values.sync.fromHost.deviceClasses.enabled}}
- apiGroups: ["resource.k8s.io"]
  resources: ["deviceclasses"]
  verbs: ["get", "watch", "list"]
{{- end }}

The implementation only grants read-only verbs (get, watch, list), which is correct for a fromHost syncer. This matches the pattern used for other fromHost resources like ingressClasses and runtimeClasses. So this is not an issue - the codex review appears to have been based on an earlier version of the code.

---

✅ Verification: No actual bugs found

After careful review of the current code:

1. ✅ The ClusterRole auto-create logic does include deviceClasses.enabled check
2. ✅ The RBAC permissions are correctly read-only (get, watch, list)
3. ✅ The implementation follows the same pattern as other fromHost cluster-scoped resources
4. ✅ Tests are included and cover both resourceClaims and deviceClasses
5. ✅ Configuration is properly defined in both values.yaml and config.go

The codex reviews appear to have been based on an earlier iteration of the code. The current implementation (commit 8d2eb20) has already addressed those concerns.

---

Minor observations (non-blocking):

1. Typo fix included: Good catch on the typo in pkg/config/validation.go:182 ("runnign" → "running")
2. Consistent patterns: The implementation correctly follows existing patterns for:
   • fromHost cluster-scoped resources (read-only RBAC)
   • toHost namespace-scoped resources (full RBAC)
   • Configuration structure and validation

---

✅ Recommendation: Approve

The code is well-structured, follows existing patterns, and doesn't contain the bugs mentioned in previous reviews. The implementation is ready to merge.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d2eb20545

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Register a syncer for ResourceClaims

This new config knob exposes sync.toHost.resourceClaims, but there is no corresponding controller registered in pkg/controllers/resources/register.go (the syncer list only includes existing resources). That means users can enable this flag and still get no ResourceClaim syncing at all; the controller never starts despite RBAC/values being added. To make the feature functional, add a ResourceClaim syncer and register it (or avoid exposing the flag until the controller exists).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Register a syncer for DeviceClasses

The new sync.fromHost.deviceClasses config is exposed, but no device class syncer is registered in pkg/controllers/resources/register.go, so enabling this flag does nothing (no informer/controller gets created). Users will expect host DeviceClasses to sync into the virtual cluster and instead see a no‑op. Add a DeviceClass syncer and register it in the syncer list to make the flag effective.

Useful? React with 👍 / 👎.