-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
False
-
-
False
-
CLOSED
-
---
-
---
-
CNV Virtualization Sprint 226
-
Urgent
-
None
+++ This bug was initially created as a clone of Bug #2119128 +++
Description of problem:
virt-launcher pod on a regular namespace (not named openshift-*) cannot be started on OCP 4.12.
On the status on the VMI we see:
status:
conditions:
- lastProbeTime: "2022-08-15T06:40:54Z"
lastTransitionTime: "2022-08-15T06:40:54Z"
message: virt-launcher pod has not yet been scheduled
reason: PodNotExists
status: "False"
type: Ready - lastProbeTime: null
lastTransitionTime: "2022-08-15T06:40:54Z"
message: 'failed to create virtual machine pod: pods "virt-launcher-testvm-6xks9"
is forbidden: violates PodSecurity "restricted:v1.24": seLinuxOptions (pod and
container "volumecontainerdisk" set forbidden securityContext.seLinuxOptions:
type "virt_launcher.process"), allowPrivilegeEscalation != false (containers
"container-disk-binary", "volumecontainerdisk-init", "compute", "volumecontainerdisk"
must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
(containers "container-disk-binary", "volumecontainerdisk-init", "compute",
"volumecontainerdisk" must set securityContext.capabilities.drop=["ALL"]; container
"compute" must not include "SYS_NICE" in securityContext.capabilities.add),
runAsNonRoot != true (pod or containers "container-disk-binary", "compute" must
set securityContext.runAsNonRoot=true), runAsUser=0 (pod and containers "container-disk-binary",
"compute" must not set runAsUser=0), seccompProfile (pod or containers "container-disk-binary",
"volumecontainerdisk-init", "compute", "volumecontainerdisk" must set securityContext.seccompProfile.type
to "RuntimeDefault" or "Localhost")'
reason: FailedCreate
status: "False"
type: Synchronized
created: true
printableStatus: Starting
Version-Release number of selected component (if applicable):
CNV 4.12 on OCP 4.12
How reproducible:
we are constantly getting this on CI on OCP 4.12
Steps to Reproduce:
1. try to start a VM on OCP 4.12
2.
3.
Expected results:
no PodSecurity related error for virt-launcher
Additional info:
All the logs are available here:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-azure-upgrade-cnv/1559052348230209536/artifacts/e2e-azure-upgrade-cnv/test/artifacts/cnv-must-gather-vms/
— Additional comment from on 2022-08-19 10:12:10 UTC —
Hi Simone,
Are you using Openshift-cnv for this test? I see that your workload is running under root which is definitely wrong(different problem but I want to make sure...)
— Additional comment from Simone Tiraboschi on 2022-08-22 07:11:31 UTC —
Yes, it's a CI lane testing the latest OCP compose with up to date CNV.
We user an intermediate repo here: https://github.com/openshift-cnv/cnv-ci
— Additional comment from on 2022-08-22 13:32:17 UTC —
"compute" must not include "SYS_NICE" & "runAsUser=0 (pod and containers "container-disk-binary","compute" must not set runAsUser=0)" suggest that we are not running rootless implementation. Can you please verify this? It would be a much bigger problem.
— Additional comment from on 2022-08-23 17:34:09 UTC —
Proposing this as a blocker.
— Additional comment from on 2022-08-23 17:52:54 UTC —
Rationale for proposing this as a blocker is that it doesn't just affect testing. VMs really are disrupted.
— Additional comment from Simone Tiraboschi on 2022-08-25 14:30:00 UTC —
(In reply to lpivarc from comment #3)
> "compute" must not include "SYS_NICE" & "runAsUser=0 (pod and containers
> "container-disk-binary","compute" must not set runAsUser=0)" suggest that we
> are not running rootless implementation. Can you please verify this? It
> would be a much bigger problem.
That specific lane is an upgrade one.
It's testing the latest CNV version (v4.10.4) to the candidate one for this specific OCP version (so CNV v4.12.0 on OCP v4.12).
AFAIK we are setting NonRoot FG starting with CNV 4.11.0 but not on CNV 4.10.z.
So potentially we will not see this in CNV 4.11.z -> CNV 4.12.z is all the VMs runs with rootless.
But please be aware that this is still going to affect EUS to EUS upgrades (4.10 -> 4.12 is the first one for us) where the cluster admin is supposed to pause the workers MachineConfigPool to skips node reboots on 4.11.
See:
https://issues.redhat.com/browse/CNV-13992
— Additional comment from Antonio Cardace on 2022-09-22 08:58:53 UTC —
While Lubo merged the required changes in Kubevirt we're still missing a change in HCO to enable PSA feature gate by default, @stirabos@redhat.com can you comment here when you post the HCO PR?
- blocks
-
CNV-18561 [2089744] HCO should label its control plane namespace to admit pods at privileged security level
- Closed
-
CNV-21417 [2128999] virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
- Closed
-
CNV-21711 [2132015] virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
- Closed
- is blocked by
-
CNV-20531 [2119128] virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24
- Closed
- is duplicated by
-
CNV-21785 [2133654] [pod security violation audit] Audit violation in "virt-operator" container should be fixed
- Closed
- external trackers