Bug 2119128
Summary: | virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 | |||
---|---|---|---|---|
Product: | Container Native Virtualization (CNV) | Reporter: | Simone Tiraboschi <stirabos> | |
Component: | Virtualization | Assignee: | lpivarc | |
Status: | CLOSED ERRATA | QA Contact: | Denys Shchedrivyi <dshchedr> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 4.12.0 | CC: | acardace, lpivarc, sgott, ycui | |
Target Milestone: | --- | Keywords: | Regression, TestBlocker | |
Target Release: | 4.12.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | hco-bundle-registry-v4.12.0-532 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2128997 (view as bug list) | Environment: | ||
Last Closed: | 2023-01-24 13:39:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2128997, 2128999, 2132015 |
Description
Simone Tiraboschi
2022-08-17 15:41:52 UTC
Proposing this as a blocker. While Lubo merged the required changes in Kubevirt we're still missing a change in HCO to enable PSA feature gate by default, @stirabos can you comment here when you post the HCO PR? PSA FG on Kubevirt is now always enabled on HCO managed deployments. Verified on v4.12.0-535 - VM can be succesfully started: > $ oc get pod > NAME READY STATUS RESTARTS AGE > virt-launcher-vm-fedora-f558p 2/2 Running 0 8s But as I see, we do not revert back labels of the namespace when VM removed: 1) created new namespace - it has default labels: > $ oc describe ns namespace-test > Name: namespace-test > Labels: kubernetes.io/metadata.name=namespace-test > pod-security.kubernetes.io/enforce=restricted > pod-security.kubernetes.io/enforce-version=v1.24 2) Created and started VM in this namespace - labels updated: > $ oc describe ns namespace-test > Name: namespace-test > Labels: kubernetes.io/metadata.name=namespace-test > pod-security.kubernetes.io/enforce=privileged > pod-security.kubernetes.io/enforce-version=v1.24 > security.openshift.io/scc.podSecurityLabelSync=false 3) Removed VM - labels still the same (not reverted back): > $ oc get vm > No resources found in namespace-test namespace. > $ oc get vmi > No resources found in namespace-test namespace. > $ oc get pod > No resources found in namespace-test namespace. > $ oc describe ns namespace-test > Name: namespace-test > Labels: kubernetes.io/metadata.name=namespace-test > pod-security.kubernetes.io/enforce=privileged > pod-security.kubernetes.io/enforce-version=v1.24 > security.openshift.io/scc.podSecurityLabelSync=false Removing the label seems to me an optional thing. The reason is that users can already use the namespace as a privilege for the duration while the VM is running and therefore you are giving him trust. I think it would be good to document this behavior.. Moving this bz to verified state Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408 |