Bug 2068147 - [cnv 4.9] No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec.
Summary: [cnv 4.9] No "permittedHostDevices" section in HCO CR, allows any hostdevice ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Virtualization
Version: 4.9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.4
Assignee: ffossemo
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-24 14:35 UTC by Kedar Bidarkar
Modified: 2022-04-26 16:54 UTC (History)
2 users (show)

Fixed In Version: virt-operator-container-v4.9.4-5 hco-bundle-registry-container-v4.9.4-47
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-26 16:54:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt kubevirt pull 7448 0 None Merged [release-0.44] move host device validation to happen on pod creation 2022-04-05 12:17:01 UTC
Red Hat Product Errata RHEA-2022:1596 0 None None None 2022-04-26 16:54:46 UTC

Description Kedar Bidarkar 2022-03-24 14:35:06 UTC
This bug was initially created as a copy of Bug #1983079

I am copying this bug because: 



Description of problem:

1) Empty or No "permittedHostDevices" section in HCO CR, allows any hostdevice in the VM spec.

2) It appears that the validation of the vm specs hostdevice is done, only after we add the first entry under "permittedHostDevices" section in HCO CR.

Version-Release number of selected component (if applicable):
CNV-4.8.0

How reproducible:
Without adding any entry about "permittedHostDevices" in HCO CR, 
create a VMI spec with any random hostdevices name.

Steps to Reproduce:
1. Create a VM with hostdevice, with no "permittedHostDevices" section in HCO CR
2. Creation of the VM witht he hostdevice is allowed.
3. ( Ofcourse the VM would then be in a PENDING state )

Actual results:

1) Empty or No "permittedHostDevices" section in HCO CR, should deny all hostdevices, by default.

2) It appears that the validation of the vm specs hostdevice is done, only after we add the first entry under "permittedHostDevices" section in HCO CR.

Expected results:

Even if the  "permittedHostDevices" section is missing from HCO CR
The VM creation with "Any" HostDevice should be denied with the below message.

Message: "admission webhook .* denied the request: HostDevice {GPU_DEVICE_NAME} is not permitted .*"

Additional info:

Comment 1 Kedar Bidarkar 2022-04-19 10:28:19 UTC
VERIFIED with, container-native-virtualization/virt-operator/images/v4.9.4-7

Message:               failed to render launch manifest: GPU nvidia.com/TU104GL_Tesla_T4 is not permitted in permittedHostDevices configuration
    Reason:                FailedPvcNotFound
    Status:                False
    Type:                  Synchronized

spec:
  domain:
    cpu:
      cores: 1
      sockets: 1
      threads: 1
    devices:
      disks:
      - disk:
          bus: virtio
        name: datavolumedisk1
      - disk:
          bus: virtio
        name: cloudinitdisk
      gpus:
      - deviceName: nvidia.com/TU104GL_Tesla_T4
        name: gpu1

-----------

spec:
  certConfig:
    ca:
      duration: 48h0m0s
      renewBefore: 24h0m0s
    server:
      duration: 24h0m0s
      renewBefore: 12h0m0s
  featureGates:
    sriovLiveMigration: true
    withHostPassthroughCPU: false
  infra: {}
  liveMigrationConfig:
    completionTimeoutPerGiB: 800
    parallelMigrationsPerCluster: 5
    parallelOutboundMigrationsPerNode: 2
    progressTimeout: 150
  permittedHostDevices:
    pciHostDevices:
    - pciDeviceSelector: 10de:1eb8
      resourceName: nvidia.com/T4U_Tesla_T4
  workloads: {}

Comment 7 errata-xmlrpc 2022-04-26 16:54:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.9.4 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1596


Note You need to log in before you can comment on or make changes to this bug.