"Permission denied" when accessing the virtiofs mount directory in previous VM if multiple VMs share the same pvc.

100%

1. Prepare a pvc with ReadWriteMany access mode.
$ oc get pvc mypvc -o yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    pv.kubernetes.io/bind-completed: "yes"
    pv.kubernetes.io/bound-by-controller: "yes"
    volume.beta.kubernetes.io/storage-provisioner: openshift-storage.cephfs.csi.ceph.com
    volume.kubernetes.io/storage-provisioner: openshift-storage.cephfs.csi.ceph.com
  creationTimestamp: "2025-03-10T11:04:04Z"
  finalizers:
  - kubernetes.io/pvc-protection
  name: mypvc
  namespace: mytest
  resourceVersion: "17072572"
  uid: ab2427f6-e75d-4200-8d1f-079466ae145f
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: ocs-storagecluster-cephfs
  volumeMode: Filesystem
  volumeName: pvc-ab2427f6-e75d-4200-8d1f-079466ae145f
status:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 1Gi
  phase: Bound 

2. Prepare two VMs, add the pvc to the VM as filesystems.

$ oc get vm example3 -o yaml
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  annotations:
    description: VM example
    kubemacpool.io/transaction-timestamp: "2025-03-10T11:05:10.932986851Z"
    kubevirt.io/latest-observed-api-version: v1
    kubevirt.io/storage-observed-api-version: v1
  creationTimestamp: "2025-03-10T10:41:32Z"
  finalizers:
  - kubevirt.io/virtualMachineControllerFinalize
  generation: 6
  labels:
    app: example
    os.template.kubevirt.io/fedora: "true"
  name: example3
  namespace: mytest
  resourceVersion: "17074360"
  uid: ce1dcf25-277b-4141-9c06-5ee17d5fb862
spec:
  runStrategy: Always
  template:
    metadata:
      annotations:
        vm.kubevirt.io/flavor: small
        vm.kubevirt.io/os: fedora
        vm.kubevirt.io/workload: server
      creationTimestamp: null
      labels:
        kubevirt.io/domain: example
        kubevirt.io/size: small
    spec:
      architecture: amd64
      domain:
        cpu:
          cores: 1
          sockets: 1
          threads: 1
        devices:
          disks:
          - disk:
              bus: virtio
            name: rootdisk
          - disk:
              bus: virtio
            name: cloudinitdisk
          filesystems:
          - name: mypvcdisk
            virtiofs: {}
          interfaces:
          - macAddress: 02:06:d7:00:00:10
            masquerade: {}
            model: virtio
            name: default
          networkInterfaceMultiqueue: true
          rng: {}
        machine:
          type: pc-q35-rhel9.4.0
        memory:
          guest: 2Gi
        resources: {}
      hostname: example
      networks:
      - name: default
        pod: {}
      terminationGracePeriodSeconds: 180
      volumes:
      - containerDisk:
          image: quay.io/containerdisks/fedora
        name: rootdisk
      - cloudInitNoCloud:
          userData: |-
            #cloud-config
            user: fedora
            password: fedora
            chpasswd: { expire: False }
        name: cloudinitdisk
      - name: mypvcdisk
        persistentVolumeClaim:
          claimName: mypvc
          
$ oc get vm example2 -o yaml
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  annotations:
    description: VM example
    kubemacpool.io/transaction-timestamp: "2025-03-10T11:04:17.54103627Z"
    kubevirt.io/latest-observed-api-version: v1
    kubevirt.io/storage-observed-api-version: v1
  creationTimestamp: "2025-03-10T08:14:50Z"
  finalizers:
  - kubevirt.io/virtualMachineControllerFinalize
  generation: 22
  labels:
    app: example
    os.template.kubevirt.io/fedora: "true"
  name: example2
  namespace: mytest
  resourceVersion: "17076141"
  uid: cab69ce5-cd62-40a1-9f60-918361ea5c70
spec:
  runStrategy: Always
  template:
    metadata:
      annotations:
        vm.kubevirt.io/flavor: small
        vm.kubevirt.io/os: fedora
        vm.kubevirt.io/workload: server
      creationTimestamp: null
      labels:
        kubevirt.io/domain: example
        kubevirt.io/size: small
    spec:
      architecture: amd64
      domain:
        cpu:
          cores: 1
          sockets: 1
          threads: 1
        devices:
          disks:
          - disk:
              bus: virtio
            name: rootdisk
          - disk:
              bus: virtio
            name: cloudinitdisk
          filesystems:
          - name: mydv-fs
            virtiofs: {}
          - name: mypvcdisk
            virtiofs: {}
          interfaces:
          - macAddress: 02:06:d7:00:00:0f
            masquerade: {}
            model: virtio
            name: default
          networkInterfaceMultiqueue: true
          rng: {}
        machine:
          type: pc-q35-rhel9.4.0
        memory:
          guest: 2Gi
        resources: {}
      hostname: example
      networks:
      - name: default
        pod: {}
      terminationGracePeriodSeconds: 180
      volumes:
      - containerDisk:
          image: quay.io/containerdisks/fedora
        name: rootdisk
      - cloudInitNoCloud:
          userData: |-
            #cloud-config
            user: fedora
            password: fedora
            chpasswd: { expire: False }
        name: cloudinitdisk
      - dataVolume:
          name: dv-virtiofs
        name: mydv-fs
      - name: mypvcdisk
        persistentVolumeClaim:
          claimName: mypvc

3. Start both VMs.
4. Mount the virtiofs filesystem in one vm.
$ sudo mount -t virtiofs mypvcdisk /mnt
5. Mount the virtiofs filesystem in another vm.
$ sudo mount -t virtiofs mypvcdisk /mnt
6. List the files in the mount directory (/mnt) of the first VM.

ls: cannot open directory '/mnt': Permission denied

Both VM should list the directory successfully.