2128997 – [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24

Bug 2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24

Summary: [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restri...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Virtualization
Sub Component:
Version:	4.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.11.1
Assignee:	lpivarc
QA Contact:	Akriti Gupta
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2133654 (view as bug list)
Depends On:	2119128
Blocks:	2089744 2128999 2132015
TreeView+	depends on / blocked

Reported:	2022-09-22 09:08 UTC by Antonio Cardace
Modified:	2022-12-01 21:12 UTC (History)
CC List:	8 users (show)
Fixed In Version:	hco-bundle-registry-container-v4.11.1-35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2119128
Clones:	2128999 (view as bug list)
Environment:
Last Closed:	2022-12-01 21:12:19 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt kubevirt pull 8518	None	Merged	[release-0.53] Integrate with Pod security	2022-10-11 12:14:08 UTC
Red Hat Issue Tracker	CNV-21418	None	None	None	2022-11-29 09:55:52 UTC
Red Hat Product Errata	RHSA-2022:8750	None	None	None	2022-12-01 21:12:40 UTC

Comment 1 Kedar Bidarkar 2022-10-12 11:54:39 UTC

Appears fixed with v4.11.1-29 HCO-Bundle

Comment 2 Kedar Bidarkar 2022-10-12 12:13:13 UTC

*** Bug 2133654 has been marked as a duplicate of this bug. ***

Comment 3 Akriti Gupta 2022-10-18 09:15:08 UTC

Verified on v4.11.1-42

Vm can be successfully started 

[akrgupta@fedora ~]$ oc get vm
NAME            AGE     STATUS         READY
vm-rhel86-ocs   4m36s   Provisioning   False
[akrgupta@fedora ~]$ oc get vmi
NAME            AGE     PHASE     IP             NODENAME                             READY
vm-rhel86-ocs   52s     Running   10.128.2.82    virt-akr-411b-w4wf7-worker-0-n4l8l   True
[akrgupta@fedora ~]$ virtctl migrate vm-rhel86-ocs
VM vm-rhel86-ocs was scheduled to migrate
[akrgupta@fedora ~]$ oc get vmi
NAME            AGE     PHASE     IP             NODENAME                             READY
vm-rhel86-ocs   2m49s   Running   10.129.2.79    virt-akr-411b-w4wf7-worker-0-tk2ph   True

Comment 4 Akriti Gupta 2022-10-19 11:31:52 UTC

1) created new namespace - it has default labels:[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
2) Created and started VM in this namespace - labels updated:
[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/enforce=privileged
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
              security.openshift.io/scc.podSecurityLabelSync=false

3) Removed VM - labels still the same (not reverted back):
[akrgupta@fedora ~]$ oc delete vm vm-rhel86-ocs
virtualmachine.kubevirt.io "vm-rhel86-ocs" deleted
[akrgupta@fedora ~]$ oc get vm
No resources found in namespace-sample namespace.
[akrgupta@fedora ~]$ oc describe ns namespace-sample
Name:         namespace-sample
Labels:       kubernetes.io/metadata.name=namespace-sample
              pod-security.kubernetes.io/audit=restricted
              pod-security.kubernetes.io/audit-version=v1.24
              pod-security.kubernetes.io/enforce=privileged
              pod-security.kubernetes.io/warn=restricted
              pod-security.kubernetes.io/warn-version=v1.24
              security.openshift.io/scc.podSecurityLabelSync=false


PSA feature gate is present
[akrgupta@fedora ~]$ oc get kv -n openshift-cnv kubevirt-kubevirt-hyperconverged -o json | grep -A 15 "featureGates"
                "featureGates": [
                    "DataVolumes",
                    "SRIOV",
                    "CPUManager",
                    "CPUNodeDiscovery",
                    "Snapshot",
                    "HotplugVolumes",
                    "ExpandDisks",
                    "GPU",
                    "HostDevices",
                    "DownwardMetrics",
                    "NUMA",
                    "LiveMigration",
                    "PSA",
                    "WithHostModelCPU",
                    "HypervStrictCheck",

Comment 13 errata-xmlrpc 2022-12-01 21:12:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.11.1 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8750

Note You need to log in before you can comment on or make changes to this bug.