Merge pull request #58961 from ousleyp/cnv-7098

CNV-7098: default and custom RBAC roles for OCP virt

Author: ousleyp

modules/virt-default-cluster-roles.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
+
+:_content-type: REFERENCE
+[id="default-cluster-roles-for-virt_{context}"]
+= Default cluster roles for {VirtProductName}
+
+By using cluster role aggregation, {VirtProductName} extends the default {product-title} cluster roles to include permissions for accessing virtualization objects.
+
+.{VirtProductName} cluster roles
+[cols="1,1,4",options="header"]
+|===
+|Default cluster role
+|{VirtProductName} cluster role
+|{VirtProductName} cluster role description
+
+.^| `view`
+.^|`kubevirt.io:view` 
+| A user that can view all {VirtProductName} resources in the cluster but cannot create, delete, modify, or access them. For example, the user can see that a virtual machine (VM) is running but cannot shut it down or gain access to its console.
+
+.^| `edit`
+.^|`kubevirt.io:edit` 
+| A user that can modify all {VirtProductName} resources in the cluster. For example, the user can create VMs, access VM consoles, and delete VMs.
+
+.^| `admin`
+.^|`kubevirt.io:admin` 
+| A user that has full permissions to all {VirtProductName} resources, including the ability to delete collections of resources. The user can also view and modify the {VirtProductName} runtime configuration, which is located in the `HyperConverged` custom resource in the `openshift-cnv` namespace.
+|===

virt/virt-security-policies.adoc

@@ -19,8 +19,18 @@ include::modules/virt-about-workload-security.adoc[leveloffset=+1]
 
 include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1]
 
+[id="authorization_virt-security-policies"]
+== Authorization
+
+{VirtProductName} uses xref:../authentication/using-rbac.adoc#using-rbac[role-based access control] (RBAC) for authorization. For example, an administrator can create an RBAC role that provides the permissions required to launch a virtual machine. The administrator can then restrict access to that feature by binding the role to specific users.
+
+include::modules/virt-default-cluster-roles.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 [id="additional-resources_{context}"]
 == Additional resources
 * xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Managing security context constraints]
-* xref:../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]
+* xref:../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]
+* xref:../authentication/using-rbac.adoc#creating-cluster-role_using-rbac[Creating a cluster role]
+* xref:../authentication/using-rbac.adoc#cluster-role-binding-commands_using-rbac[Cluster role binding commands]
+* xref:../virt/virtual_machines/cloning_vms/virt-enabling-user-permissions-to-clone-datavolumes.adoc#virt-enabling-user-permissions-to-clone-datavolumes[Enabling user permissions to clone data volumes across namespaces]