Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-20531

[2119128] virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24

XMLWordPrintable

    • CNV Virtualization Sprint 224, CNV Virtualization Sprint 225
    • Urgent
    • None

      Description of problem:
      virt-launcher pod on a regular namespace (not named openshift-*) cannot be started on OCP 4.12.

      On the status on the VMI we see:
      status:
      conditions:

      • lastProbeTime: "2022-08-15T06:40:54Z"
        lastTransitionTime: "2022-08-15T06:40:54Z"
        message: virt-launcher pod has not yet been scheduled
        reason: PodNotExists
        status: "False"
        type: Ready
      • lastProbeTime: null
        lastTransitionTime: "2022-08-15T06:40:54Z"
        message: 'failed to create virtual machine pod: pods "virt-launcher-testvm-6xks9"
        is forbidden: violates PodSecurity "restricted:v1.24": seLinuxOptions (pod and
        container "volumecontainerdisk" set forbidden securityContext.seLinuxOptions:
        type "virt_launcher.process"), allowPrivilegeEscalation != false (containers
        "container-disk-binary", "volumecontainerdisk-init", "compute", "volumecontainerdisk"
        must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
        (containers "container-disk-binary", "volumecontainerdisk-init", "compute",
        "volumecontainerdisk" must set securityContext.capabilities.drop=["ALL"]; container
        "compute" must not include "SYS_NICE" in securityContext.capabilities.add),
        runAsNonRoot != true (pod or containers "container-disk-binary", "compute" must
        set securityContext.runAsNonRoot=true), runAsUser=0 (pod and containers "container-disk-binary",
        "compute" must not set runAsUser=0), seccompProfile (pod or containers "container-disk-binary",
        "volumecontainerdisk-init", "compute", "volumecontainerdisk" must set securityContext.seccompProfile.type
        to "RuntimeDefault" or "Localhost")'
        reason: FailedCreate
        status: "False"
        type: Synchronized
        created: true
        printableStatus: Starting

      Version-Release number of selected component (if applicable):
      CNV 4.12 on OCP 4.12

      How reproducible:
      we are constantly getting this on CI on OCP 4.12

      Steps to Reproduce:
      1. try to start a VM on OCP 4.12
      2.
      3.

      Actual results:
      https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-azure-upgrade-cnv/1559052348230209536/artifacts/e2e-azure-upgrade-cnv/test/artifacts/cnv-must-gather-vms/registry-redhat-io-container-native-virtualization-cnv-must-gather-rhel8-sha256-37a2b2f102544ec8e953b473f85505e1d999aa5fde09e1385ebfa365fc4aa732/namespaces/vmsns/kubevirt.io/virtualmachines/custom/testvm.yaml

      Expected results:
      no PodSecurity related error for virt-launcher

      Additional info:
      All the logs are available here:
      https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-azure-upgrade-cnv/1559052348230209536/artifacts/e2e-azure-upgrade-cnv/test/artifacts/cnv-must-gather-vms/

              lpivarc Luboslav Pivarc
              stirabos Simone Tiraboschi
              Denys Shchedrivyi Denys Shchedrivyi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: