Description of problem: HCO operator creates a cr of kind 'kubevirt' in namespace openshift-cnv. Later on this resource is the owner of the non-namespaced CRDS : v2vvmwares.kubevirt.io virtualmachineinstancemigrations.kubevirt.io virtualmachineinstancepresets.kubevirt.io virtualmachineinstancereplicasets.kubevirt.io virtualmachineinstances.kubevirt.io virtualmachines.kubevirt.io This can lead to deletion of cross-namespace resources by K8S. See Bug 1693905 (CVE-2019-3884) - CVE-2019-3884 atomic-openshift: cross-namespace owner references can trigger deletions of valid children Version-Release number of selected component (if applicable): 2.2.0 How reproducible: Steps to Reproduce: 1. Install CNV 2. 3. Actual results: Expected results: Additional info:
I believe this could be the root cause of bug 1785661.
isnt this a dup or the root cause of https://bugzilla.redhat.com/show_bug.cgi?id=1782241?
We don't know it for sure..
verify with build: Client Version: 4.3.0-0.nightly-2020-01-15-025207 Server Version: 4.3.0-0.nightly-2020-01-15-025207 Kubernetes Version: v1.16.2 step : 1. deploy OCP4.3+CNV2.2 2. check crds $ oc describe crds virtualmachines.kubevirt.io Metadata: Creation Timestamp: 2020-01-15T10:24:47Z Generation: 1 Resource Version: 21344 Self Link: /apis/apiextensions.k8s.io/v1/customresourcedefinitions/virtualmachines.kubevirt.io UID: bdb6bbcf-a4b8-40b4-8c3c-a8c30e5b897f there is no "Owner References:" here check all crds: v2vvmwares.kubevirt.io virtualmachineinstancemigrations.kubevirt.io virtualmachineinstancepresets.kubevirt.io virtualmachineinstancereplicasets.kubevirt.io virtualmachineinstances.kubevirt.io no owner references now. move to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0307