Bug 1791753
| Summary: | [RFE] [SSP] Template validator should check validations in template's parent template | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Ruth Netser <rnetser> |
| Component: | SSP | Assignee: | Omer Yahud <oyahud> |
| Status: | CLOSED ERRATA | QA Contact: | Ruth Netser <rnetser> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.2.0 | CC: | cnv-qe-bugs, fdeutsch, ipinto, kbidarka, ksimon, oyahud, tjelinek |
| Target Milestone: | --- | Keywords: | TestOnly |
| Target Release: | 2.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kubevirt-ssp-operator-container-v2.6.0-32 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-10 11:16:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Had a discussion with Tomas about this bug, and I proposed this issue to be handled in the UI by copying validation rules from the parent template to the child template instead of enforcing validations from the parent template. Tomas, is my proposal acceptable to you and can your team handle this bug? (In reply to Omer Yahud from comment #3) > Had a discussion with Tomas about this bug, and I proposed this issue to be > handled in the UI by copying validation rules from the parent template to > the child template instead of enforcing validations from the parent template. > > Tomas, is my proposal acceptable to you and can your team handle this bug? After an offline discussion with Karel Simon it seems that the templates are not immutable and during update the validations can change. In that case I don't think it is a good idea to copy them over to vm-templates. @Karel, can you please confirm? Verified with kubevirt-ssp-operator-container-v2.6.0-35:
The validation annotation is now under the VM object.
As such, when a template is created from a common template, this part is copied as-is to the new template.
When a VM is created from the custom template, if its spec violates any of the rules, VM creation fails.
kind: Template
apiVersion: template.openshift.io/v1
metadata:
name: fed-template
namespace: default
uid: 791118f5-2c0f-46e1-a822-44ab694191fd
resourceVersion: '170925'
creationTimestamp: '2021-01-19T11:56:10Z'
labels:
flavor.template.kubevirt.io/small: 'true'
os.template.kubevirt.io/fedora33: 'true'
template.kubevirt.io/type: vm
vm.kubevirt.io/template: fedora-server-small
vm.kubevirt.io/template.namespace: openshift
workload.template.kubevirt.io/server: 'true'
annotations:
iconClass: icon-fedora
name.os.template.kubevirt.io/fedora33: Fedora 32 or higher
template.kubevirt.io/provider: My company
template.kubevirt.ui/parent-provider: Red Hat
template.kubevirt.ui/parent-provider-url: 'https://www.fedoraproject.org'
template.kubevirt.ui/parent-support-level: Community
managedFields:
- manager: Mozilla
operation: Update
apiVersion: template.openshift.io/v1
time: '2021-01-19T11:56:10Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:iconClass': {}
'f:name.os.template.kubevirt.io/fedora33': {}
'f:template.kubevirt.io/provider': {}
'f:template.kubevirt.ui/parent-provider': {}
'f:template.kubevirt.ui/parent-provider-url': {}
'f:template.kubevirt.ui/parent-support-level': {}
'f:labels':
.: {}
'f:flavor.template.kubevirt.io/small': {}
'f:os.template.kubevirt.io/fedora33': {}
'f:template.kubevirt.io/type': {}
'f:vm.kubevirt.io/template': {}
'f:vm.kubevirt.io/template.namespace': {}
'f:workload.template.kubevirt.io/server': {}
'f:objects': {}
'f:parameters': {}
objects:
- apiVersion: kubevirt.io/v1alpha3
kind: VirtualMachine
metadata:
annotations:
vm.kubevirt.io/flavor: small
vm.kubevirt.io/os: fedora
vm.kubevirt.io/validations: |
[
{
"name": "minimal-required-memory",
"path": "jsonpath::.spec.domain.resources.requests.memory",
"rule": "integer",
"message": "This VM requires more memory.",
"min": 1073741824
}
]
vm.kubevirt.io/workload: server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799 |
Description of problem: When a template is created from a wizard from the UI, the new template contains the VM spec but it does not contain any metadata / annotations which exist in the original common template which was used as a baseline for the new template. Though the 'parent' template appears in the new template, the validator does not check for constraints which may exist in the parent template. For example - validations. As a result, the user can edit the template, modify a value which violates the validations and a VM will be created. Version-Release number of selected component (if applicable): CNV 2.2 How reproducible: 100% Steps to Reproduce: 1. From the UI, create a template using RHEL8 template (select rhel8.1 in from the OS dropdown) 2. Modify the new template - requested memory < RHEL8 minimum required memory (e.g 500M) 3. Create a VM using the new template Actual results: The VM will be created. Expected results: The VM should not be created as it violates the minimum memory. Additional info: Reference to parent template in the new template. metadata: .... labels: .... vm.kubevirt.io/template: rhel8-server-small-v0.7.0 vm.kubevirt.io/template-namespace: openshift