+++ This bug was initially created as a clone of Bug #2174859 +++

Description of problem:
Add support for configuring Root FeartureGate via HCO CR

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 8 "featureGates"

2.
3.

Actual results:
featureGates:
deployKubeSecondaryDNS: false
deployTektonTaskResources: false
enableCommonBootImageImport: true
nonRoot: true

Expected results:
featureGates:
deployKubeSecondaryDNS: false
deployTektonTaskResources: false
enableCommonBootImageImport: true
Root: False

Additional info:
The default value for root is expected to be false

— Additional comment from Kedar Bidarkar on 2023-03-02 15:12:36 CET —

This is being request due to the following PR, https://github.com/kubevirt/kubevirt/pull/8563

— Additional comment from Simone Tiraboschi on 2023-03-02 17:33:18 CET —

I see that the NonRoot FG is still there (although deprecated): https://github.com/kubevirt/kubevirt/blob/release-0.59/pkg/virt-config/feature-gates.go#L48

Being us already in BlockerOnly phase and being this a user facing change we will keep the current API for 4.13 (NonRoot FG with default=true) and we will properly expose the new one (Root FG with default=false) with a conversion on upgrades only for 4.14.

— Additional comment from Kedar Bidarkar on 2023-03-03 10:21:26 CET —

Hi Simone, was told by Virt Devs that NonRoot FG is no-op.

1) Setting NonRoot FG as False, still leads to virt-launcher Pod being run as NonRoot only currently.
2) Only with Root FG as True, leads to virt-launcher Pod being run as Root.

In 4.13, there will be no option to run virt-launcher Pod as Root.

Hence we need to consider this for 4.13 itself.

—

Regarding Blockers only,

QE was able to get the first Job run against 4.13, only on March 1st and this bug was filed on March 2nd.

— Additional comment from Simone Tiraboschi on 2023-03-03 10:50:32 CET —

NonRoot FG is still there but deprecated, so it's still supposed to work in this release getting removed in the next.
If it's not working as expected being no-op the bug is definitively there.

— Additional comment from on 2023-03-03 11:29:51 CET —

Hi Simone,
The NonRoot is no-op in 4.13. The question is do we want to change `nonRoot: false` when we would add the `Root` fg to Kubevirt? Otherwise this field on HCO is no-op as well.

— Additional comment from Simone Tiraboschi on 2023-03-03 13:58:42 CET —

It's definitely too late in the process for a user visible API change, internally altering the translation from nonRoot->nonRoot to !nonRoot->Root looks a reasonable workaround.

Let's keep this bug on 4.14 for a proper fix and I'll clone it to 4.13 marking it as a release blocker to implement there the suggested workaround.