Bug 1985719
| Summary: | Unprivileged client fails to get guest agent data | |||
|---|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | vsibirsk | |
| Component: | Virtualization | Assignee: | Roman Mohr <rmohr> | |
| Status: | CLOSED ERRATA | QA Contact: | Israel Pinto <ipinto> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.8.0 | CC: | cnv-qe-bugs, rmohr, sgott, zpeng | |
| Target Milestone: | --- | |||
| Target Release: | 4.9.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | virt-operator-container-v4.9.0-29 hco-bundle-registry-container-v4.9.0-122 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1987262 1997017 2000464 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-02 15:59:33 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1987262, 1997017, 2000464 | |||
Looking into our rbac role it does not look like we ever added this endpoint. Therefore I don't think that unprivileged clients could ever access it. On a quick glance it looks like it should be added to the `kubevirt.io:edit` and `kubevirt.io:view` roles. https://github.com/kubevirt/kubevirt/pull/6147 Itamar, would be great if you could review the PR. I took it since there is some test refactoring necessary. To verify: follow steps to reproduce. verify with build
HCO:[v4.9.0-144]
step:
1. create unprivilege user with clusterrole
...
- virtualmachineinstances/guestosinfo
...
2. create a vm with guest agent installed.
3. start the vm using unprivileged user
4.
$ virtctl guestosinfo vm-rhel
{
"guestAgentVersion": "5.1.0",
"supportedCommands": [
{
"name": "guest-get-osinfo",
"enabled": true
},
{
"name": "guest-get-timezone",
"enabled": true
},
{
"name": "guest-get-users",
"enabled": true
},
{
"name": "guest-get-host-name",
"enabled": true
},
{
"name": "guest-exec",
"enabled": true
},
{
"name": "guest-exec-status",
"enabled": true
},
{
"name": "guest-get-memory-block-info",
"enabled": true
},
{
"name": "guest-set-memory-blocks",
"enabled": true
},
{
"name": "guest-get-memory-blocks",
"enabled": true
},
{
"name": "guest-set-user-password",
"enabled": true
},
{
"name": "guest-get-fsinfo",
"enabled": true
},
{
"name": "guest-set-vcpus",
"enabled": true
},
{
"name": "guest-get-vcpus",
"enabled": true
},
{
"name": "guest-network-get-interfaces",
"enabled": true
},
{
"name": "guest-suspend-hybrid",
"enabled": true
},
{
"name": "guest-suspend-ram",
"enabled": true
},
{
"name": "guest-suspend-disk",
"enabled": true
},
{
"name": "guest-fstrim",
"enabled": true
},
{
"name": "guest-fsfreeze-thaw",
"enabled": true
},
{
"name": "guest-fsfreeze-freeze-list",
"enabled": true
},
{
"name": "guest-fsfreeze-freeze",
"enabled": true
},
{
"name": "guest-fsfreeze-status",
"enabled": true
},
{
"name": "guest-file-flush",
"enabled": true
},
{
"name": "guest-file-seek",
"enabled": true
},
{
"name": "guest-file-write",
"enabled": true
},
{
"name": "guest-file-read",
"enabled": true
},
{
"name": "guest-file-close",
"enabled": true
},
{
"name": "guest-file-open",
"enabled": true
},
{
"name": "guest-shutdown",
"enabled": true
},
{
"name": "guest-info",
"enabled": true
},
{
"name": "guest-set-time",
"enabled": true
},
{
"name": "guest-get-time",
"enabled": true
},
{
"name": "guest-ping",
"enabled": true
},
{
"name": "guest-sync",
"enabled": true
},
{
"name": "guest-sync-delimited",
"enabled": true
}
],
"hostname": "vm-rhel",
"os": {
"name": "Fedora",
"kernelRelease": "5.9.11-200.fc33.x86_64",
"version": "33 (Cloud Edition)",
"prettyName": "Fedora 33 (Cloud Edition)",
"versionId": "33",
"kernelVersion": "#1 SMP Tue Nov 24 18:18:01 UTC 2020",
"machine": "x86_64",
"id": "fedora"
},
"timezone": "UTC, 0",
"fsInfo": {
"disks": [
{
"diskName": "sda1",
"mountPoint": "/",
"fileSystemType": "ext4",
"usedBytes": 1508929536,
"totalBytes": 3927900160
}
]
}
}
$ oc whoami
tester
move to verified.
>
> Steps to Reproduce:
> 1.Log-in as unprivileged client and create VM with guest agent
> 2.Try to get guest agent data - virtctl guestosinfo <vm_name> or oc describe
> vmi
>
Are you sure that `oc describe vm <myvm?` is affected too? As far as I can see it has the right permissions on the default view role to get/list/watch VMs.
Can it be that only `virtcl guestosinfo` is affected?
A backport for 4.8 can be found at https://github.com/kubevirt/kubevirt/pull/6401. Let me know when you want it for a z release. Thanks Roman, I've updated the the BZs for stable branches. https://bugzilla.redhat.com/show_bug.cgi?id=1987262 is the tracker for 2.6.7 https://bugzilla.redhat.com/show_bug.cgi?id=1997017 is the tracker for 4.8.3 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4104 |
Description of problem: When logged-in as unprivileged client getting 403 Forbidden when trying to get guest agent data: $ virtctl guestosinfo rhel-8-3 {"component":"","level":"error","msg":"Cannot retrieve GuestOSInfo: unknown","pos":"vmi.go:449","timestamp":"2021-07-21T15:37:27.313829Z"} Error getting guestosinfo of VirtualMachine rhel-8-3, unknown HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"virtualmachineinstances.subresources.kubevirt.io \"win-10-1627077454-9172375\" is forbidden: User \"unprivileged-user\" cannot get resource \"virtualmachineinstances/guestosinfo\" in API group \"subresources.kubevirt.io\" in the namespace \"supported-os-common-templates-windows-test-windows-os-support\"","reason":"Forbidden","details":{"name":"win-10-1627077454-9172375","group":"subresources.kubevirt.io","kind":"virtualmachineinstances"},"code":403} Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Log-in as unprivileged client and create VM with guest agent 2.Try to get guest agent data - virtctl guestosinfo <vm_name> or oc describe vmi Actual results: Fails with 403 Forbidden Expected results: Will get data from guest agent Additional info: This doesn't happen with admin client.