Bug 1666704

Summary: virtctl restart doesn't work because of wrongly configured RBAC
Product: Container Native Virtualization (CNV) Reporter: Marc Sluiter <msluiter>
Component: VirtualizationAssignee: Marc Sluiter <msluiter>
Status: CLOSED ERRATA QA Contact: zhe peng <zpeng>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.4CC: cnv-qe-bugs, fdeutsch, ipinto, sgordon, sgott, zpeng
Target Milestone: ---   
Target Release: 1.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kubevirt-0.13.2-1.ge1ce9da.6d86849 virt-api-container-v1.4.0-15 virt-controller-container-v1.4.0-15 virt-handler-container-v1.4.0-15 virt-launcher-container-v1.4.0-15 virt-operator-container-v1.4.0-7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-26 10:28:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Sluiter 2019-01-16 12:10:04 UTC 
Description of problem:

virtctl restart doesn't work because of wrongly configured RBAC
Comment 1 Marc Sluiter 2019-01-16 12:22:48 UTC 
A fix is on it's way, see https://github.com/kubevirt/kubevirt/pull/1942
Comment 2 Marc Sluiter 2019-01-17 09:41:53 UTC 
How to reproduce on OpenShift:

1. Create a user with edit role:
$ oc create user foo
$ oc adm policy add-cluster-role-to-user edit foo

2. Login with that user and create and start any VM:
$ oc login -u foo -p ...
$ oc apply -f ./cluster/examples/vm-cirros.yaml
$ ./virtctl start vm-cirros

3. Try to restart that VM
$ ./virtctl restart vm-cirros
Error restarting VirtualMachine virtualmachines.subresources.kubevirt.io "vm-cirros" is forbidden: User "foo" cannot update virtualmachines.subresources.kubevirt.io/restart in the namespace "default": no RBAC policy matched

Expected:
$ ./virtctl restart vm-cirros
VM vm-cirros was scheduled to restart
Comment 3 Israel Pinto 2019-01-20 13:22:09 UTC 
@Zhe,

Please add test case for this scenario
Comment 4 zhe peng 2019-01-21 07:03:00 UTC 
Done
Comment 6 sgott 2019-01-24 21:45:34 UTC 
To reproduce/verify this, follow the steps Marc outlined.
Comment 7 Israel Pinto 2019-01-28 12:58:50 UTC 
Version: CNV 1.4 
Steps form: https://bugzilla.redhat.com/show_bug.cgi?id=1666704#c2 
manage to start VM with other user via virtctl.
Comment 10 errata-xmlrpc 2019-02-26 10:28:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0418