-
Bug
-
Resolution: Done-Errata
-
None
-
False
-
-
False
-
CLOSED
-
---
-
---
-
-
-
CNV I/U Operators Sprint 232, CNV I/U Operators Sprint 233, CNV I/U Operators Sprint 234
+++ This bug was initially created as a clone of Bug #2174859 +++
Description of problem:
Add support for configuring Root FeartureGate via HCO CR
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o yaml | grep -A 8 "featureGates"
2.
3.
Actual results:
featureGates:
deployKubeSecondaryDNS: false
deployTektonTaskResources: false
enableCommonBootImageImport: true
nonRoot: true
Expected results:
featureGates:
deployKubeSecondaryDNS: false
deployTektonTaskResources: false
enableCommonBootImageImport: true
Root: False
Additional info:
The default value for root is expected to be false
— Additional comment from Kedar Bidarkar on 2023-03-02 15:12:36 CET —
This is being request due to the following PR, https://github.com/kubevirt/kubevirt/pull/8563
— Additional comment from Simone Tiraboschi on 2023-03-02 17:33:18 CET —
I see that the NonRoot FG is still there (although deprecated): https://github.com/kubevirt/kubevirt/blob/release-0.59/pkg/virt-config/feature-gates.go#L48
Being us already in BlockerOnly phase and being this a user facing change we will keep the current API for 4.13 (NonRoot FG with default=true) and we will properly expose the new one (Root FG with default=false) with a conversion on upgrades only for 4.14.
— Additional comment from Kedar Bidarkar on 2023-03-03 10:21:26 CET —
Hi Simone, was told by Virt Devs that NonRoot FG is no-op.
1) Setting NonRoot FG as False, still leads to virt-launcher Pod being run as NonRoot only currently.
2) Only with Root FG as True, leads to virt-launcher Pod being run as Root.
In 4.13, there will be no option to run virt-launcher Pod as Root.
Hence we need to consider this for 4.13 itself.
—
Regarding Blockers only,
QE was able to get the first Job run against 4.13, only on March 1st and this bug was filed on March 2nd.
— Additional comment from Simone Tiraboschi on 2023-03-03 10:50:32 CET —
NonRoot FG is still there but deprecated, so it's still supposed to work in this release getting removed in the next.
If it's not working as expected being no-op the bug is definitively there.
— Additional comment from on 2023-03-03 11:29:51 CET —
Hi Simone,
The NonRoot is no-op in 4.13. The question is do we want to change `nonRoot: false` when we would add the `Root` fg to Kubevirt? Otherwise this field on HCO is no-op as well.
— Additional comment from Simone Tiraboschi on 2023-03-03 13:58:42 CET —
It's definitely too late in the process for a user visible API change, internally altering the translation from nonRoot->nonRoot to !nonRoot->Root looks a reasonable workaround.
Let's keep this bug on 4.14 for a proper fix and I'll clone it to 4.13 marking it as a release blocker to implement there the suggested workaround.
- blocks
-
CNV-26376 [2174859] Need Root FeatureGate configurable via HCO CR
- Closed
- external trackers
- mentioned on