Bug 1996407

Summary: [cdi-functional-tests] cdi-docker-registry-host Pod fails to start
Product: Container Native Virtualization (CNV) Reporter: Denis Ollier <dollierp>
Component: StorageAssignee: Alex Kalenyuk <akalenyu>
Status: CLOSED ERRATA QA Contact: Jenia Peimer <jpeimer>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.9.0CC: akalenyu, cnv-qe-bugs, yadu
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.9.0-147 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 16:00:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denis Ollier 2021-08-22 17:33:00 UTC 
Description of problem
----------------------

The Pod cdi-docker-registry-host required when running CDI tier1 tests is not starting on D/S CNV clusters.

Analysis
--------

Upstream PR https://github.com/kubevirt/containerized-data-importer/pull/1886 added the SETFCAP capability to the registry-populate container of the cdi-docker-registry-host Pod.

=> https://github.com/kubevirt/containerized-data-importer/blob/main/manifests/templates/registry-host.yaml.in

However the relevant SCC has not been updated to allow such privileges resulting in the cdi-docker-registry-host Pod failing to start:

>    message: 'pods "cdi-docker-registry-host-85764c55bc-" is forbidden: unable to
>      validate against any security context constraint: [provider "anyuid": Forbidden:
>      not usable by user or serviceaccount, spec.containers[2].securityContext.capabilities.add:
>      Invalid value: "SETFCAP": capability may not be added, spec.initContainers[0].securityContext.runAsUser:
>      Invalid value: 0: must be in the ranges: [1000680000, 1000689999], spec.containers[0].securityContext.runAsUser:
>      Invalid value: 0: must be in the ranges: [1000680000, 1000689999], spec.containers[1].securityContext.runAsUser:
>      Invalid value: 0: must be in the ranges: [1000680000, 1000689999], spec.containers[2].securityContext.runAsUser:
>      Invalid value: 0: must be in the ranges: [1000680000, 1000689999], provider
>      "nonroot": Forbidden: not usable by user or serviceaccount, provider "noobaa":
>      Forbidden: not usable by user or serviceaccount, provider "noobaa-endpoint":
>      Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid":
>      Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner":
>      Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden:
>      not usable by user or serviceaccount, provider "machine-api-termination-handler":
>      Forbidden: not usable by user or serviceaccount, provider "kubevirt-controller":
>      Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden:
>      not usable by user or serviceaccount, provider "hostaccess": Forbidden: not
>      usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable
>      by user or serviceaccount, provider "nmstate": Forbidden: not usable by user
>      or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user
>      or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount,
>      provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider
>      "privileged": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi":
>      Forbidden: not usable by user or serviceaccount]'

Version
-------
OCP-4.9.0-nightly
CNV: http://cnv-version-explorer.apps.cnv.engineering.redhat.com/BundleDetails?ver=v4.9.0-125
CDI tier1 tests compiled from https://github.com/kubevirt/containerized-data-importer/commit/98f53c88.
Comment 4 errata-xmlrpc 2021-11-02 16:00:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4104