This bug was initially created as a copy of Bug #1983079 I am copying this bug because: Description of problem: 1) Empty or No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec. 2) It appears that the validation of the vm specs hostdevice is done, only after we add the first entry under "permittedHostDevices" section in HCO CR. Version-Release number of selected component (if applicable): CNV-4.8.0 How reproducible: Without adding any entry about "permittedHostDevices" in HCO CR, create a VMI spec with any random hostdevices name. Steps to Reproduce: 1. Create a VM with hostdevice, with no "permittedHostDevices" section in HCO CR 2. Creation of the VM witht he hostdevice is allowed. 3. ( Ofcourse the VM would then be in a PENDING state ) Actual results: 1) Empty or No "permittedHostDevices" section in HCO CR, should deny all hostdevices, by default. 2) It appears that the validation of the vm specs hostdevice is done, only after we add the first entry under "permittedHostDevices" section in HCO CR. Expected results: Even if the "permittedHostDevices" section is missing from HCO CR The VM creation with "Any" HostDevice should be denied with the below message. Message: "admission webhook .* denied the request: HostDevice {GPU_DEVICE_NAME} is not permitted .*" Additional info:
VERIFIED with, container-native-virtualization/virt-operator/images/v4.9.4-7 Message: failed to render launch manifest: GPU nvidia.com/TU104GL_Tesla_T4 is not permitted in permittedHostDevices configuration Reason: FailedPvcNotFound Status: False Type: Synchronized spec: domain: cpu: cores: 1 sockets: 1 threads: 1 devices: disks: - disk: bus: virtio name: datavolumedisk1 - disk: bus: virtio name: cloudinitdisk gpus: - deviceName: nvidia.com/TU104GL_Tesla_T4 name: gpu1 ----------- spec: certConfig: ca: duration: 48h0m0s renewBefore: 24h0m0s server: duration: 24h0m0s renewBefore: 12h0m0s featureGates: sriovLiveMigration: true withHostPassthroughCPU: false infra: {} liveMigrationConfig: completionTimeoutPerGiB: 800 parallelMigrationsPerCluster: 5 parallelOutboundMigrationsPerNode: 2 progressTimeout: 150 permittedHostDevices: pciHostDevices: - pciDeviceSelector: 10de:1eb8 resourceName: nvidia.com/T4U_Tesla_T4 workloads: {}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Virtualization 4.9.4 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:1596