Fix scc issues with VMFR

mpryc · mpryc · commit 61d47c8ba760 · 2025-12-10T12:25:04.000+01:00
Fixes issue #53 Signed-off-by: Michal Pryc <mpryc@redhat.com>
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -93,6 +93,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - velero.io
   resources:
diff --git a/internal/controller/virtualmachinefilerestore_controller.go b/internal/controller/virtualmachinefilerestore_controller.go
@@ -95,6 +95,7 @@ func (e ErrUnsupportedBackup) Error() string {
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=privileged,verbs=use
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=restores,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=velero.io,resources=backups,verbs=get;list;watch
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
@@ -83,8 +83,8 @@ var _ = Describe("Manager", Ordered, func() {
 		Expect(err).NotTo(HaveOccurred(), "Failed to patch imagePullPolicy")
 	})
 
-	// After all tests have been executed, clean up by undeploying the controller, uninstalling CRDs,
-	// and deleting the namespace.
+	// After all tests have been executed, clean up by deleting controller resources
+	// but NOT the namespace (which contains Velero needed by other test suites).
 	AfterAll(func() {
 		By("cleaning up the curl pod for metrics")
 		cmd := exec.Command("kubectl", "delete", "pod", "curl-metrics", "-n", namespace)
@@ -94,8 +94,20 @@ var _ = Describe("Manager", Ordered, func() {
 		cmd = exec.Command("kubectl", "delete", "clusterrolebinding", metricsRoleBindingName)
 		_, _ = utils.Run(cmd)
 
-		By("undeploying the controller-manager")
-		cmd = exec.Command("make", "undeploy")
+		By("deleting the controller deployment")
+		cmd = exec.Command("kubectl", "delete", "deployment", "oadp-vm-file-restore-controller-manager", "-n", namespace, "--ignore-not-found")
+		_, _ = utils.Run(cmd)
+
+		By("deleting controller RBAC resources")
+		cmd = exec.Command("kubectl", "delete", "clusterrole,clusterrolebinding,role,rolebinding", "-l", "app.kubernetes.io/name=oadp-vm-file-restore", "--ignore-not-found")
+		_, _ = utils.Run(cmd)
+
+		By("deleting controller service account")
+		cmd = exec.Command("kubectl", "delete", "serviceaccount", serviceAccountName, "-n", namespace, "--ignore-not-found")
+		_, _ = utils.Run(cmd)
+
+		By("deleting metrics service")
+		cmd = exec.Command("kubectl", "delete", "service", metricsServiceName, "-n", namespace, "--ignore-not-found")
 		_, _ = utils.Run(cmd)
 
 		By("uninstalling CRDs")
