Bug 2063540

Summary:	[CNV-4.11] Authorization Failed When Cloning Source Namespace
Product:	Container Native Virtualization (CNV)	Reporter:	Mor Cohen <mocohen>
Component:	SSP	Assignee:	Andrej Krejcir <akrejcir>
Status:	CLOSED ERRATA	QA Contact:	Geetika Kapoor <gkapoor>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	4.11.0	CC:	akrejcir, cnv-qe-bugs, oshoval, ycui
Target Milestone:	---	Keywords:	AutomationBlocker, Regression, TestBlocker
Target Release:	4.11.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	kubevirt-ssp-operator-container-v4.11.0-11	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-09-14 19:29:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Mor Cohen 2022-03-13 14:22:24 UTC

Description of problem:
Getting the following response when trying to create a vm using the smoke tests from cnv-tests repository https://code.engineering.redhat.com/gerrit/admin/repos/cnv-tests.

{
	"kind": "Status",
	"apiVersion": "v1",
	"metadata": {},
	"status": "Failure",
	"message": "admission webhook \\"
	virtualmachine - validator.kubevirt.io\\ " denied the request: Authorization failed, message is: User system:serviceaccount:ssp-supported-os-common-templates-rhel-test-rhel-os-support:default has insufficient permissions in clone source namespace openshift-virtualization-os-images",
	"reason": "Invalid",
	"details": {
		"causes": [{
			"reason": "FieldValueInvalid",
			"message": "Authorization failed, message is: User system:serviceaccount:ssp-supported-os-common-templates-rhel-test-rhel-os-support:default has insufficient permissions in clone source namespace openshift-virtualization-os-images",
			"field": "spec.dataVolumeTemplates[0]"
		}]
	}

A build with some logs: https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/job/verify-cnv-4.11.z-build/56/consoleFull

How reproducible:
100

Steps to Reproduce:
1. Install CNV-v4.11.0-108 from iib:192344.

Actual results:


Expected results:


Additional info:

Comment 1 Dominik Holler 2022-03-14 10:09:43 UTC

Is the behavior reproducible in 4.10 ?

Comment 2 Mor Cohen 2022-03-15 12:08:39 UTC

No, this behavior is not reproducible in 4.10.
Just on 4.11 - and it's still reproducible (validated again).

Comment 3 Andrej Krejcir 2022-03-18 11:34:17 UTC

This bug may have been caused by a change in SSP, that caused the d/s build to be incorrect.

This PR should fix it: https://github.com/kubevirt/ssp-operator/pull/326
A d/s patch will be needed too.

Comment 6 Andrej Krejcir 2022-03-21 14:20:23 UTC

*** Bug 2066223 has been marked as a duplicate of this bug. ***

Comment 7 Mor Cohen 2022-03-23 11:53:23 UTC

Can verify that the bug is not hitting again on RHEL8 builds.
Will fully verify when I see that also RHEL9 builds are passing just to make sure.

Comment 8 Mor Cohen 2022-03-24 07:25:54 UTC

Alright after few GREEN builds of RHEL9 based CNV-4.11 I can verify that we don't get this issue anymore.
Thanks !

Comment 11 errata-xmlrpc 2022-09-14 19:29:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.11.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6526