-
Bug
-
Resolution: Unresolved
-
Undefined
-
CNV v4.20.1
-
None
-
Quality / Stability / Reliability
-
1
-
False
-
-
False
-
CNV v4.21.0.rhel9-44, CNV v4.20.3.rhel9-6
-
-
Important
-
None
Description of problem:
When a VM exists with no annotation `vm.kubevirt.io/validations`, and labels `vm.kubevirt.io/template` , `vm.kubevirt.io/template.namespace` point to invalid/nonexistent template, the validating webhook denies all updates on that VM
Version-Release number of selected component (if applicable):
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.20.1 True False 14d Cluster version is 4.20.1 $ oc get csv -n openshift-cnv kubevirt-hyperconverged-operator.4.20.1-10 NAME DISPLAY VERSION REPLACES PHASE kubevirt-hyperconverged-operator.4.20.1-10 OpenShift Virtualization 4.20.1-10 kubevirt-hyperconverged-operator.4.20.1-9 Succeeded
How reproducible:
Steps to Reproduce:
1. Have a VM with no `vm.kubevirt.io/validations` annotation, and `vm.kubevirt.io/template` , `vm.kubevirt.io/template.namespace` pointing to an non existing template. 2. try to modify the VM (like adding a simple annotation)
Actual results:
VM update is blocked on error: admission webhook \"virtualmachine-admission.ssp.kubevirt.io\" denied the request: missing parent template (key=test/example) for example-lih2b1d6wqt2nuak","timestamp":"2025-11-13T07:40:49.194457Z","uid":"7b9e92c0-d76f-4993-9312-5d100be830d2"
Expected results:
VM update should succeed
Additional info:
Not sure how this VM got to exist, I would expect that one would not be able to ever set such an invalid template. My guess is that around the time this VM was last updated (2023-06-15T19:54:40Z) - it was possible.
- links to
- mentioned on
(6 mentioned on)