Bug 2056421
| Summary: | non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume" | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Guohua Ouyang <gouyang> | ||||
| Component: | Storage | Assignee: | Alexander Wels <awels> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Natalie Gavrielov <ngavrilo> | ||||
| Severity: | urgent | Docs Contact: | Olivia Payne <opayne> | ||||
| Priority: | high | ||||||
| Version: | 4.10.0 | CC: | aos-bugs, cnv-qe-bugs, ctomasko, danken, gouyang, mrashish, opayne, scuppett, sgott, yadu, ymotiyel, yzamir | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | 4.10.1 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | release note | ||||||
| Fixed In Version: | CNV v4.10.1-85 | Doc Type: | Known Issue | ||||
| Doc Text: |
* Currently, non-privileged users cannot add disks to a virtual machine due to role-based access control (RBAC) rules. Non-privileged users will get an RBAC error when they try to add disks because it cannot update the `virtualmachines/addvolumeresource` in the `subresources.kubevirt.io` API group in the `test` namespace. As a workaround, manually add the RBAC rule to allow specific users to add disks. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2056421[*BZ#2056421*])
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 2072014 (view as bug list) | Environment: | |||||
| Last Closed: | 2022-05-18 20:27:03 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2072014 | ||||||
| Attachments: |
|
||||||
the problem does not exist on CNV-v4.10.0-696 + 4.10.0-rc.6 (In reply to Guohua Ouyang from comment #1) > the problem does not exist on CNV-v4.10.0-696 + 4.10.0-rc.6 please ignore this. Stu hi, moving to virtualization because API endpoint is under virtualization, please move to correct component if needed Description: Users that are allowed to create and edit a vm in some namespace are blocked when trying to add a volume: http://kubevirt.io/api-reference/main/operations.html#_v1vmi-addvolume Is this "as designed" and we don't want them to use this API call ? Is this RBAC rule need to be updates ? What component set the RBUC ruls ? Adam, I'm moving this BZ to the Storage component. While the endpoint is in the KubeVirt codebase, we think the storage team might have better visibility into what needs to be done here. It's not clear from the workflow this BZ went through if the issue still exists. Please feel free to move this back to virt if you think that's a better fit. Known issue release note added to OpenShift 4.10 A non-privileged user cannot add disks to a VM due to RBAC rules. As a workaround, manually add the RBAC rule to allow specific users to add disks. (BZ#2056421) https://github.com/openshift/openshift-docs/pull/42530 https://deploy-preview-42530--osdocs.netlify.app/openshift-enterprise/latest/virt/virt-4-10-release-notes#virt-4-10-known-issues Future link: After the OpenShift Virtualization 4.10 releases, you can find the release notes here: https://docs.openshift.com/container-platform/4.10/virt/virt-4-10-release-notes.html or on the portal, https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10 Test on CNV v4.10.1-88, issue has been fixed. $ oc whoami test $ virtctl addvolume fedora-1619697674-6212 --volume-name=blank-dv --persist Successfully submitted add volume request to VM fedora-1619697674-6212 for volume blank-dv Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.10.1 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4668 |
Created attachment 1862315 [details] error on add disk modal Description of problem: Login with a non-privileged user, create a VM, and try to add a disk, an error shows: user "test" cannot update resource "virtualmachines/addvolume" in API group "subresources.kubevirt.io" in the namespace "test" Version-Release number of selected component (if applicable): 4.10-rc2 How reproducible: Steps to Reproduce: 1. Login with a non-privileged user 2. Create a VM and adding disk to the vm 3. Actual results: error shows while adding disk Expected results: disk is added properly Additional info: