Bug 2137123 - VMExport: export pod is not PSA complaint
Summary: VMExport: export pod is not PSA complaint
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.12.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: 4.12.0
Assignee: Alex Kalenyuk
QA Contact: Jenia Peimer
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-23 16:20 UTC by Jenia Peimer
Modified: 2023-01-24 13:41 UTC (History)
3 users (show)

Fixed In Version: CNV v4.12.0-664
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-24 13:41:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt kubevirt pull 8652 0 None Merged Make exporter pod PSA ready 2022-10-30 08:50:59 UTC
Github kubevirt kubevirt pull 8685 0 None Merged [release-0.58] Make exporter pod PSA ready 2022-11-02 11:19:18 UTC
Red Hat Issue Tracker CNV-21996 0 None None None 2022-10-27 18:36:44 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:41:41 UTC

Description Jenia Peimer 2022-10-23 16:20:29 UTC 
Description of problem:
VMExport: export pod is not PSA complaint 

Version-Release number of selected component (if applicable):
4.12.0

How reproducible:
Always

Steps to Reproduce:
1. Create a VM
2. Create a VMExport object

Actual results:
E1023 15:51:16.640185       1 util.go:72] pods "virt-export-vme-test-whttslbd8wvd" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "vme-test-whttslbd8wvd" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "vme-test-whttslbd8wvd" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "vme-test-whttslbd8wvd" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")


Expected results:
exporter pod created
Comment 1 Jenia Peimer 2022-10-23 16:25:11 UTC 
@akalenyu opened a PR to fix this: https://github.com/kubevirt/kubevirt/pull/8652
Comment 3 Jenia Peimer 2022-11-03 12:10:31 UTC 
Verified on CNV-v4.12.0-665

Create a VM and stop it:

$ oc create -f vm-ocs.yaml 
virtualmachine.kubevirt.io/vm-cirros-source-ocs created

$ oc get vm -A
NAMESPACE   NAME                   AGE   STATUS    READY
default     vm-cirros-source-ocs   28s   Running   True

$ virtctl stop vm-cirros-source-ocs
VM vm-cirros-source-ocs was scheduled to stop


Create a token:

$ cat token.yaml 
apiVersion: v1
kind: Secret
metadata:
    name: virt-export-token
data:
    token: bXl0b2tlbg==

$ oc create -f token.yaml 
secret/virt-export-token created


Create VMExport:

$ cat vmexport-vm.yaml 
apiVersion: export.kubevirt.io/v1alpha1
kind: VirtualMachineExport
metadata:
    name: export-vm-object
spec:
    source:
        apiGroup: "kubevirt.io"
        kind: VirtualMachine
        name: vm-cirros-source-ocs
    tokenSecretRef: virt-export-token

$ oc create -f vmexport-vm.yaml
virtualmachineexport.export.kubevirt.io/export-vm-object created

$ oc get vmexport
NAME               SOURCEKIND       SOURCENAME             PHASE
export-vm-object   VirtualMachine   vm-cirros-source-ocs   Ready

$ oc get pods
NAME                           READY   STATUS    RESTARTS   AGE
virt-export-export-vm-object   1/1     Running   0          14s
Comment 7 errata-xmlrpc 2023-01-24 13:41:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408
Note You need to log in before you can comment on or make changes to this bug.