1666704 – virtctl restart doesn't work because of wrongly configured RBAC

Bug 1666704 - virtctl restart doesn't work because of wrongly configured RBAC

Summary: virtctl restart doesn't work because of wrongly configured RBAC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Virtualization
Sub Component:
Version:	1.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	1.4
Assignee:	Marc Sluiter
QA Contact:	zhe peng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-16 12:10 UTC by Marc Sluiter
Modified:	2019-02-26 10:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:	kubevirt-0.13.2-1.ge1ce9da.6d86849 virt-api-container-v1.4.0-15 virt-controller-container-v1.4.0-15 virt-handler-container-v1.4.0-15 virt-launcher-container-v1.4.0-15 virt-operator-container-v1.4.0-7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-02-26 10:28:24 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:0418	0	None	None	None	2019-02-26 10:28:26 UTC

Description Marc Sluiter 2019-01-16 12:10:04 UTC

Description of problem:

virtctl restart doesn't work because of wrongly configured RBAC

Comment 1 Marc Sluiter 2019-01-16 12:22:48 UTC

A fix is on it's way, see https://github.com/kubevirt/kubevirt/pull/1942

Comment 2 Marc Sluiter 2019-01-17 09:41:53 UTC

How to reproduce on OpenShift:

1. Create a user with edit role:
$ oc create user foo
$ oc adm policy add-cluster-role-to-user edit foo

2. Login with that user and create and start any VM:
$ oc login -u foo -p ...
$ oc apply -f ./cluster/examples/vm-cirros.yaml
$ ./virtctl start vm-cirros

3. Try to restart that VM
$ ./virtctl restart vm-cirros
Error restarting VirtualMachine virtualmachines.subresources.kubevirt.io "vm-cirros" is forbidden: User "foo" cannot update virtualmachines.subresources.kubevirt.io/restart in the namespace "default": no RBAC policy matched

Expected:
$ ./virtctl restart vm-cirros
VM vm-cirros was scheduled to restart

Comment 3 Israel Pinto 2019-01-20 13:22:09 UTC

@Zhe,

Please add test case for this scenario

Comment 4 zhe peng 2019-01-21 07:03:00 UTC

Done

Comment 6 sgott 2019-01-24 21:45:34 UTC

To reproduce/verify this, follow the steps Marc outlined.

Comment 7 Israel Pinto 2019-01-28 12:58:50 UTC

Version: CNV 1.4 
Steps form: https://bugzilla.redhat.com/show_bug.cgi?id=1666704#c2 
manage to start VM with other user via virtctl.

Comment 10 errata-xmlrpc 2019-02-26 10:28:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0418

Note You need to log in before you can comment on or make changes to this bug.