Description of problem: When a template is created from a wizard from the UI, the new template contains the VM spec but it does not contain any metadata / annotations which exist in the original common template which was used as a baseline for the new template. Though the 'parent' template appears in the new template, the validator does not check for constraints which may exist in the parent template. For example - validations. As a result, the user can edit the template, modify a value which violates the validations and a VM will be created. Version-Release number of selected component (if applicable): CNV 2.2 How reproducible: 100% Steps to Reproduce: 1. From the UI, create a template using RHEL8 template (select rhel8.1 in from the OS dropdown) 2. Modify the new template - requested memory < RHEL8 minimum required memory (e.g 500M) 3. Create a VM using the new template Actual results: The VM will be created. Expected results: The VM should not be created as it violates the minimum memory. Additional info: Reference to parent template in the new template. metadata: .... labels: .... vm.kubevirt.io/template: rhel8-server-small-v0.7.0 vm.kubevirt.io/template-namespace: openshift
Had a discussion with Tomas about this bug, and I proposed this issue to be handled in the UI by copying validation rules from the parent template to the child template instead of enforcing validations from the parent template. Tomas, is my proposal acceptable to you and can your team handle this bug?
(In reply to Omer Yahud from comment #3) > Had a discussion with Tomas about this bug, and I proposed this issue to be > handled in the UI by copying validation rules from the parent template to > the child template instead of enforcing validations from the parent template. > > Tomas, is my proposal acceptable to you and can your team handle this bug? After an offline discussion with Karel Simon it seems that the templates are not immutable and during update the validations can change. In that case I don't think it is a good idea to copy them over to vm-templates. @Karel, can you please confirm?
Verified with kubevirt-ssp-operator-container-v2.6.0-35: The validation annotation is now under the VM object. As such, when a template is created from a common template, this part is copied as-is to the new template. When a VM is created from the custom template, if its spec violates any of the rules, VM creation fails. kind: Template apiVersion: template.openshift.io/v1 metadata: name: fed-template namespace: default uid: 791118f5-2c0f-46e1-a822-44ab694191fd resourceVersion: '170925' creationTimestamp: '2021-01-19T11:56:10Z' labels: flavor.template.kubevirt.io/small: 'true' os.template.kubevirt.io/fedora33: 'true' template.kubevirt.io/type: vm vm.kubevirt.io/template: fedora-server-small vm.kubevirt.io/template.namespace: openshift workload.template.kubevirt.io/server: 'true' annotations: iconClass: icon-fedora name.os.template.kubevirt.io/fedora33: Fedora 32 or higher template.kubevirt.io/provider: My company template.kubevirt.ui/parent-provider: Red Hat template.kubevirt.ui/parent-provider-url: 'https://www.fedoraproject.org' template.kubevirt.ui/parent-support-level: Community managedFields: - manager: Mozilla operation: Update apiVersion: template.openshift.io/v1 time: '2021-01-19T11:56:10Z' fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:annotations': .: {} 'f:iconClass': {} 'f:name.os.template.kubevirt.io/fedora33': {} 'f:template.kubevirt.io/provider': {} 'f:template.kubevirt.ui/parent-provider': {} 'f:template.kubevirt.ui/parent-provider-url': {} 'f:template.kubevirt.ui/parent-support-level': {} 'f:labels': .: {} 'f:flavor.template.kubevirt.io/small': {} 'f:os.template.kubevirt.io/fedora33': {} 'f:template.kubevirt.io/type': {} 'f:vm.kubevirt.io/template': {} 'f:vm.kubevirt.io/template.namespace': {} 'f:workload.template.kubevirt.io/server': {} 'f:objects': {} 'f:parameters': {} objects: - apiVersion: kubevirt.io/v1alpha3 kind: VirtualMachine metadata: annotations: vm.kubevirt.io/flavor: small vm.kubevirt.io/os: fedora vm.kubevirt.io/validations: | [ { "name": "minimal-required-memory", "path": "jsonpath::.spec.domain.resources.requests.memory", "rule": "integer", "message": "This VM requires more memory.", "min": 1073741824 } ] vm.kubevirt.io/workload: server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799