Description of problem: When logged-in as unprivileged client getting 403 Forbidden when trying to get guest agent data: $ virtctl guestosinfo rhel-8-3 {"component":"","level":"error","msg":"Cannot retrieve GuestOSInfo: unknown","pos":"vmi.go:449","timestamp":"2021-07-21T15:37:27.313829Z"} Error getting guestosinfo of VirtualMachine rhel-8-3, unknown HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"virtualmachineinstances.subresources.kubevirt.io \"win-10-1627077454-9172375\" is forbidden: User \"unprivileged-user\" cannot get resource \"virtualmachineinstances/guestosinfo\" in API group \"subresources.kubevirt.io\" in the namespace \"supported-os-common-templates-windows-test-windows-os-support\"","reason":"Forbidden","details":{"name":"win-10-1627077454-9172375","group":"subresources.kubevirt.io","kind":"virtualmachineinstances"},"code":403} Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.Log-in as unprivileged client and create VM with guest agent 2.Try to get guest agent data - virtctl guestosinfo <vm_name> or oc describe vmi Actual results: Fails with 403 Forbidden Expected results: Will get data from guest agent Additional info: This doesn't happen with admin client.
Looking into our rbac role it does not look like we ever added this endpoint. Therefore I don't think that unprivileged clients could ever access it. On a quick glance it looks like it should be added to the `kubevirt.io:edit` and `kubevirt.io:view` roles.
https://github.com/kubevirt/kubevirt/pull/6147 Itamar, would be great if you could review the PR. I took it since there is some test refactoring necessary.
To verify: follow steps to reproduce.
verify with build HCO:[v4.9.0-144] step: 1. create unprivilege user with clusterrole ... - virtualmachineinstances/guestosinfo ... 2. create a vm with guest agent installed. 3. start the vm using unprivileged user 4. $ virtctl guestosinfo vm-rhel { "guestAgentVersion": "5.1.0", "supportedCommands": [ { "name": "guest-get-osinfo", "enabled": true }, { "name": "guest-get-timezone", "enabled": true }, { "name": "guest-get-users", "enabled": true }, { "name": "guest-get-host-name", "enabled": true }, { "name": "guest-exec", "enabled": true }, { "name": "guest-exec-status", "enabled": true }, { "name": "guest-get-memory-block-info", "enabled": true }, { "name": "guest-set-memory-blocks", "enabled": true }, { "name": "guest-get-memory-blocks", "enabled": true }, { "name": "guest-set-user-password", "enabled": true }, { "name": "guest-get-fsinfo", "enabled": true }, { "name": "guest-set-vcpus", "enabled": true }, { "name": "guest-get-vcpus", "enabled": true }, { "name": "guest-network-get-interfaces", "enabled": true }, { "name": "guest-suspend-hybrid", "enabled": true }, { "name": "guest-suspend-ram", "enabled": true }, { "name": "guest-suspend-disk", "enabled": true }, { "name": "guest-fstrim", "enabled": true }, { "name": "guest-fsfreeze-thaw", "enabled": true }, { "name": "guest-fsfreeze-freeze-list", "enabled": true }, { "name": "guest-fsfreeze-freeze", "enabled": true }, { "name": "guest-fsfreeze-status", "enabled": true }, { "name": "guest-file-flush", "enabled": true }, { "name": "guest-file-seek", "enabled": true }, { "name": "guest-file-write", "enabled": true }, { "name": "guest-file-read", "enabled": true }, { "name": "guest-file-close", "enabled": true }, { "name": "guest-file-open", "enabled": true }, { "name": "guest-shutdown", "enabled": true }, { "name": "guest-info", "enabled": true }, { "name": "guest-set-time", "enabled": true }, { "name": "guest-get-time", "enabled": true }, { "name": "guest-ping", "enabled": true }, { "name": "guest-sync", "enabled": true }, { "name": "guest-sync-delimited", "enabled": true } ], "hostname": "vm-rhel", "os": { "name": "Fedora", "kernelRelease": "5.9.11-200.fc33.x86_64", "version": "33 (Cloud Edition)", "prettyName": "Fedora 33 (Cloud Edition)", "versionId": "33", "kernelVersion": "#1 SMP Tue Nov 24 18:18:01 UTC 2020", "machine": "x86_64", "id": "fedora" }, "timezone": "UTC, 0", "fsInfo": { "disks": [ { "diskName": "sda1", "mountPoint": "/", "fileSystemType": "ext4", "usedBytes": 1508929536, "totalBytes": 3927900160 } ] } } $ oc whoami tester move to verified.
> > Steps to Reproduce: > 1.Log-in as unprivileged client and create VM with guest agent > 2.Try to get guest agent data - virtctl guestosinfo <vm_name> or oc describe > vmi > Are you sure that `oc describe vm <myvm?` is affected too? As far as I can see it has the right permissions on the default view role to get/list/watch VMs. Can it be that only `virtcl guestosinfo` is affected?
A backport for 4.8 can be found at https://github.com/kubevirt/kubevirt/pull/6401. Let me know when you want it for a z release.
Thanks Roman, I've updated the the BZs for stable branches. https://bugzilla.redhat.com/show_bug.cgi?id=1987262 is the tracker for 2.6.7 https://bugzilla.redhat.com/show_bug.cgi?id=1997017 is the tracker for 4.8.3
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4104