Bug 2063540 - [CNV-4.11] Authorization Failed When Cloning Source Namespace
Summary: [CNV-4.11] Authorization Failed When Cloning Source Namespace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: SSP
Version: 4.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.11.0
Assignee: Andrej Krejcir
QA Contact: Geetika Kapoor
URL:
Whiteboard:
: 2066223 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-13 14:22 UTC by Mor Cohen
Modified: 2023-11-13 08:14 UTC (History)
4 users (show)

Fixed In Version: kubevirt-ssp-operator-container-v4.11.0-11
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-14 19:29:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt ssp-operator pull 326 0 None Merged Remove `GoldenImagesNSname` constant from `api` submodule 2022-03-21 09:51:02 UTC
Red Hat Issue Tracker CNV-16894 0 None None None 2023-11-13 08:14:15 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:29:25 UTC

Description Mor Cohen 2022-03-13 14:22:24 UTC 
Description of problem:
Getting the following response when trying to create a vm using the smoke tests from cnv-tests repository https://code.engineering.redhat.com/gerrit/admin/repos/cnv-tests.

{
	"kind": "Status",
	"apiVersion": "v1",
	"metadata": {},
	"status": "Failure",
	"message": "admission webhook \\"
	virtualmachine - validator.kubevirt.io\\ " denied the request: Authorization failed, message is: User system:serviceaccount:ssp-supported-os-common-templates-rhel-test-rhel-os-support:default has insufficient permissions in clone source namespace openshift-virtualization-os-images",
	"reason": "Invalid",
	"details": {
		"causes": [{
			"reason": "FieldValueInvalid",
			"message": "Authorization failed, message is: User system:serviceaccount:ssp-supported-os-common-templates-rhel-test-rhel-os-support:default has insufficient permissions in clone source namespace openshift-virtualization-os-images",
			"field": "spec.dataVolumeTemplates[0]"
		}]
	}

A build with some logs: https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/job/verify-cnv-4.11.z-build/56/consoleFull

How reproducible:
100

Steps to Reproduce:
1. Install CNV-v4.11.0-108 from iib:192344.

Actual results:


Expected results:


Additional info:
Comment 1 Dominik Holler 2022-03-14 10:09:43 UTC 
Is the behavior reproducible in 4.10 ?
Comment 2 Mor Cohen 2022-03-15 12:08:39 UTC 
No, this behavior is not reproducible in 4.10.
Just on 4.11 - and it's still reproducible (validated again).
Comment 3 Andrej Krejcir 2022-03-18 11:34:17 UTC 
This bug may have been caused by a change in SSP, that caused the d/s build to be incorrect.

This PR should fix it: https://github.com/kubevirt/ssp-operator/pull/326
A d/s patch will be needed too.
Comment 6 Andrej Krejcir 2022-03-21 14:20:23 UTC 
*** Bug 2066223 has been marked as a duplicate of this bug. ***
Comment 7 Mor Cohen 2022-03-23 11:53:23 UTC 
Can verify that the bug is not hitting again on RHEL8 builds.
Will fully verify when I see that also RHEL9 builds are passing just to make sure.
Comment 8 Mor Cohen 2022-03-24 07:25:54 UTC 
Alright after few GREEN builds of RHEL9 based CNV-4.11 I can verify that we don't get this issue anymore.
Thanks !
Comment 11 errata-xmlrpc 2022-09-14 19:29:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.11.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6526
Note You need to log in before you can comment on or make changes to this bug.