Bug 2128997

Summary: [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
Product: Container Native Virtualization (CNV) Reporter: Antonio Cardace <acardace>
Component: VirtualizationAssignee: lpivarc
Status: CLOSED ERRATA QA Contact: Akriti Gupta <akrgupta>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.11.0CC: acardace, cnv-qe-bugs, kbidarka, lpivarc, sasundar, sgott, stirabos, ycui
Target Milestone: ---Keywords: Regression, TestBlocker
Target Release: 4.11.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.11.1-35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2119128
: 2128999 (view as bug list) Environment:
Last Closed: 2022-12-01 21:12:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2119128    
Bug Blocks: 2089744, 2128999, 2132015    

Comment 1 Kedar Bidarkar 2022-10-12 11:54:39 UTC 
Appears fixed with v4.11.1-29 HCO-Bundle
Comment 2 Kedar Bidarkar 2022-10-12 12:13:13 UTC 
*** Bug 2133654 has been marked as a duplicate of this bug. ***
Comment 3 Akriti Gupta 2022-10-18 09:15:08 UTC 
Verified on v4.11.1-42

Vm can be successfully started 

[akrgupta@fedora ~]$ oc get vm
NAME            AGE     STATUS         READY
vm-rhel86-ocs   4m36s   Provisioning   False
[akrgupta@fedora ~]$ oc get vmi
NAME            AGE     PHASE     IP             NODENAME                             READY
vm-rhel86-ocs   52s     Running   10.128.2.82    virt-akr-411b-w4wf7-worker-0-n4l8l   True
[akrgupta@fedora ~]$ virtctl migrate vm-rhel86-ocs
VM vm-rhel86-ocs was scheduled to migrate
[akrgupta@fedora ~]$ oc get vmi
NAME            AGE     PHASE     IP             NODENAME                             READY
vm-rhel86-ocs   2m49s   Running   10.129.2.79    virt-akr-411b-w4wf7-worker-0-tk2ph   True
Comment 4 Akriti Gupta 2022-10-19 11:31:52 UTC 
1) created new namespace - it has default labels:[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
2) Created and started VM in this namespace - labels updated:
[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/enforce=privileged
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
              security.openshift.io/scc.podSecurityLabelSync=false

3) Removed VM - labels still the same (not reverted back):
[akrgupta@fedora ~]$ oc delete vm vm-rhel86-ocs
virtualmachine.kubevirt.io "vm-rhel86-ocs" deleted
[akrgupta@fedora ~]$ oc get vm
No resources found in namespace-sample namespace.
[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/enforce=privileged
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
              security.openshift.io/scc.podSecurityLabelSync=false


PSA feature gate is present
[akrgupta@fedora ~]$ oc get kv -n openshift-cnv kubevirt-kubevirt-hyperconverged -o json | grep -A 15 "featureGates"
                "featureGates": [
                    "DataVolumes",
                    "SRIOV",
                    "CPUManager",
                    "CPUNodeDiscovery",
                    "Snapshot",
                    "HotplugVolumes",
                    "ExpandDisks",
                    "GPU",
                    "HostDevices",
                    "DownwardMetrics",
                    "NUMA",
                    "LiveMigration",
                    "PSA",
                    "WithHostModelCPU",
                    "HypervStrictCheck",
Comment 13 errata-xmlrpc 2022-12-01 21:12:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.11.1 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8750