diff --git a/0001-Collect-component-Role-rules-under-operator-Role-ins.patch b/0001-Collect-component-Role-rules-under-operator-Role-ins.patch new file mode 100644 index 0000000..01f6017 --- /dev/null +++ b/0001-Collect-component-Role-rules-under-operator-Role-ins.patch @@ -0,0 +1,455 @@ +From 5b86f015a18b4f01ed5dd475509a7bd6ccd1dc67 Mon Sep 17 00:00:00 2001 +From: Jed Lejosne +Date: Mon, 10 Jun 2024 11:34:23 -0400 +Subject: [PATCH] Collect component Role rules under operator Role instead of + ClusterRole + +Signed-off-by: Jed Lejosne +--- + manifests/generated/operator-csv.yaml.in | 124 +++++++++--------- + .../rbac-operator.authorization.k8s.yaml.in | 124 +++++++++--------- + .../resource/generate/rbac/operator.go | 35 +++-- + .../resource/generate/rbac/operator_test.go | 18 +++ + 4 files changed, 169 insertions(+), 132 deletions(-) + +diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in +index b50caafad..e70bb676b 100644 +--- a/manifests/generated/operator-csv.yaml.in ++++ b/manifests/generated/operator-csv.yaml.in +@@ -464,14 +464,6 @@ spec: + - create + - list + - get +- - apiGroups: +- - "" +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - "" + resources: +@@ -721,42 +713,6 @@ spec: + verbs: + - list + - watch +- - apiGroups: +- - route.openshift.io +- resources: +- - routes +- verbs: +- - list +- - get +- - watch +- - apiGroups: +- - "" +- resources: +- - secrets +- verbs: +- - list +- - get +- - watch +- - apiGroups: +- - networking.k8s.io +- resources: +- - ingresses +- verbs: +- - list +- - get +- - watch +- - apiGroups: +- - coordination.k8s.io +- resources: +- - leases +- verbs: +- - get +- - list +- - watch +- - delete +- - update +- - create +- - patch + - apiGroups: + - kubevirt.io + resources: +@@ -813,14 +769,6 @@ spec: + - get + - list + - watch +- - apiGroups: +- - "" +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - export.kubevirt.io + resources: +@@ -836,16 +784,6 @@ spec: + verbs: + - list + - watch +- - apiGroups: +- - "" +- resourceNames: +- - kubevirt-export-ca +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - kubevirt.io + resources: +@@ -1445,6 +1383,68 @@ spec: + - update + - create + - patch ++ - apiGroups: ++ - "" ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch ++ - apiGroups: ++ - route.openshift.io ++ resources: ++ - routes ++ verbs: ++ - list ++ - get ++ - watch ++ - apiGroups: ++ - "" ++ resources: ++ - secrets ++ verbs: ++ - list ++ - get ++ - watch ++ - apiGroups: ++ - networking.k8s.io ++ resources: ++ - ingresses ++ verbs: ++ - list ++ - get ++ - watch ++ - apiGroups: ++ - coordination.k8s.io ++ resources: ++ - leases ++ verbs: ++ - get ++ - list ++ - watch ++ - delete ++ - update ++ - create ++ - patch ++ - apiGroups: ++ - "" ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch ++ - apiGroups: ++ - "" ++ resourceNames: ++ - kubevirt-export-ca ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch + serviceAccountName: kubevirt-operator + strategy: deployment + installModes: +diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in +index e8146bb1b..c0e76e8e6 100644 +--- a/manifests/generated/rbac-operator.authorization.k8s.yaml.in ++++ b/manifests/generated/rbac-operator.authorization.k8s.yaml.in +@@ -75,6 +75,68 @@ rules: + - update + - create + - patch ++- apiGroups: ++ - "" ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch ++- apiGroups: ++ - route.openshift.io ++ resources: ++ - routes ++ verbs: ++ - list ++ - get ++ - watch ++- apiGroups: ++ - "" ++ resources: ++ - secrets ++ verbs: ++ - list ++ - get ++ - watch ++- apiGroups: ++ - networking.k8s.io ++ resources: ++ - ingresses ++ verbs: ++ - list ++ - get ++ - watch ++- apiGroups: ++ - coordination.k8s.io ++ resources: ++ - leases ++ verbs: ++ - get ++ - list ++ - watch ++ - delete ++ - update ++ - create ++ - patch ++- apiGroups: ++ - "" ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch ++- apiGroups: ++ - "" ++ resourceNames: ++ - kubevirt-export-ca ++ resources: ++ - configmaps ++ verbs: ++ - get ++ - list ++ - watch + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding +@@ -404,14 +466,6 @@ rules: + - create + - list + - get +-- apiGroups: +- - "" +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - "" + resources: +@@ -661,42 +715,6 @@ rules: + verbs: + - list + - watch +-- apiGroups: +- - route.openshift.io +- resources: +- - routes +- verbs: +- - list +- - get +- - watch +-- apiGroups: +- - "" +- resources: +- - secrets +- verbs: +- - list +- - get +- - watch +-- apiGroups: +- - networking.k8s.io +- resources: +- - ingresses +- verbs: +- - list +- - get +- - watch +-- apiGroups: +- - coordination.k8s.io +- resources: +- - leases +- verbs: +- - get +- - list +- - watch +- - delete +- - update +- - create +- - patch + - apiGroups: + - kubevirt.io + resources: +@@ -753,14 +771,6 @@ rules: + - get + - list + - watch +-- apiGroups: +- - "" +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - export.kubevirt.io + resources: +@@ -776,16 +786,6 @@ rules: + verbs: + - list + - watch +-- apiGroups: +- - "" +- resourceNames: +- - kubevirt-export-ca +- resources: +- - configmaps +- verbs: +- - get +- - list +- - watch + - apiGroups: + - kubevirt.io + resources: +diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go +index 365fb0600..b90a5fae8 100644 +--- a/pkg/virt-operator/resource/generate/rbac/operator.go ++++ b/pkg/virt-operator/resource/generate/rbac/operator.go +@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole { + } + + // now append all rules needed by KubeVirt's components +- operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...) ++ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...) + return operatorRole + } + +-func getKubeVirtComponentsRules() []rbacv1.PolicyRule { +- ++func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule { + var rules []rbacv1.PolicyRule + +- // namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles ++ // namespace doesn't matter, we are only interested in the rules of ClusterRoles + all := GetAllApiServer("") + all = append(all, GetAllController("")...) + all = append(all, GetAllHandler("")...) +@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule { + case *rbacv1.ClusterRole: + role, _ := resource.(*rbacv1.ClusterRole) + rules = append(rules, role.Rules...) +- case *rbacv1.Role: +- role, _ := resource.(*rbacv1.Role) +- rules = append(rules, role.Rules...) + } + } + +@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule { + return rules + } + ++func getKubeVirtComponentsRules() []rbacv1.PolicyRule { ++ var rules []rbacv1.PolicyRule ++ ++ // namespace doesn't matter, we are only interested in the rules ++ all := GetAllApiServer("") ++ all = append(all, GetAllController("")...) ++ all = append(all, GetAllHandler("")...) ++ all = append(all, GetAllExportProxy("")...) ++ all = append(all, GetAllCluster()...) ++ ++ for _, resource := range all { ++ switch resource.(type) { ++ case *rbacv1.Role: ++ role, _ := resource.(*rbacv1.Role) ++ rules = append(rules, role.Rules...) ++ } ++ } ++ ++ return rules ++} ++ + func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { + return &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{ +@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding { + + // NewOperatorRole creates a Role object for kubevirt-operator. + func NewOperatorRole(namespace string) *rbacv1.Role { +- return &rbacv1.Role{ ++ operatorRole := &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + APIVersion: VersionNamev1, + Kind: "Role", +@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role { + }, + }, + } ++ operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...) ++ return operatorRole + } + + func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool { +diff --git a/pkg/virt-operator/resource/generate/rbac/operator_test.go b/pkg/virt-operator/resource/generate/rbac/operator_test.go +index 51bd479cc..22c7d30c0 100644 +--- a/pkg/virt-operator/resource/generate/rbac/operator_test.go ++++ b/pkg/virt-operator/resource/generate/rbac/operator_test.go +@@ -67,6 +67,11 @@ var _ = Describe("RBAC", func() { + Expect(clusterRoleBinding.Subjects[0].Namespace).To(BeEquivalentTo(expectedNamespace)) + }) + ++ It("doesn't have critical cluster-wide permissions", func() { ++ clusterRole := getFirstItemOfType(forOperator, reflect.TypeOf(&rbacv1.ClusterRole{})).(*rbacv1.ClusterRole) ++ Expect(clusterRole).ToNot(BeNil()) ++ expectExactRuleDoesntExists(clusterRole.Rules, "", "secrets", "get", "list", "watch") ++ }) + }) + + Context("GetKubevirtComponentsServiceAccounts", func() { +@@ -96,3 +101,16 @@ func getFirstItemOfType(items []interface{}, tp reflect.Type) interface{} { + } + return nil + } ++ ++func expectExactRuleDoesntExists(rules []rbacv1.PolicyRule, apiGroup, resource string, verbs ...string) { ++ for _, rule := range rules { ++ if contains(rule.APIGroups, apiGroup) && ++ contains(rule.Resources, resource) { ++ for _, verb := range verbs { ++ if contains(rule.Verbs, verb) { ++ Fail(fmt.Sprintf("Found rule (apiGroup: %s, resource: %s, verbs: %v)", apiGroup, resource, rule.Verbs)) ++ } ++ } ++ } ++ } ++} +-- +2.45.2 + diff --git a/0001-tests-Adapt-VM-phase-expectation.patch b/0001-tests-Adapt-VM-phase-expectation.patch deleted file mode 100644 index 1e0fa8f..0000000 --- a/0001-tests-Adapt-VM-phase-expectation.patch +++ /dev/null @@ -1,29 +0,0 @@ -From aa6647c263408bdf0518d74da2d4c37d3bb42de0 Mon Sep 17 00:00:00 2001 -From: Vasiliy Ulyanov -Date: Wed, 13 Dec 2023 08:10:37 +0100 -Subject: [PATCH] tests: Adapt VM phase expectation - -When CDI uses volume populators with malformed DataVolume, the VM -initially transitions to Scheduling phase. - -Signed-off-by: Vasiliy Ulyanov ---- - tests/storage/datavolume.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/storage/datavolume.go b/tests/storage/datavolume.go -index 46677257d..9d86d0eac 100644 ---- a/tests/storage/datavolume.go -+++ b/tests/storage/datavolume.go -@@ -536,7 +536,7 @@ var _ = SIGDescribe("DataVolume Integration", func() { - vm, err = virtClient.VirtualMachine(vm.Namespace).Create(context.Background(), vm) - Expect(err).ToNot(HaveOccurred()) - -- Eventually(ThisVMIWith(vm.Namespace, vm.Name), 100).Should(BeInPhase(v1.Pending)) -+ Eventually(ThisVMIWith(vm.Namespace, vm.Name), 100).Should(Or(BeInPhase(v1.Pending), BeInPhase(v1.Scheduling))) - - By("Creating a service which makes the registry reachable") - _, err = virtClient.CoreV1().Services(vm.Namespace).Create(context.Background(), &k8sv1.Service{ --- -2.43.0 - diff --git a/_service b/_service index c816821..fdcc23a 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ kubevirt - v1.1.1 + v1.2.2 git disable https://github.com/kubevirt/kubevirt diff --git a/disks-images-provider.yaml b/disks-images-provider.yaml index 9791840..c8c6bf6 100644 --- a/disks-images-provider.yaml +++ b/disks-images-provider.yaml @@ -22,7 +22,7 @@ spec: serviceAccountName: kubevirt-testing containers: - name: target - image: quay.io/kubevirt/disks-images-provider:v1.1.1 + image: quay.io/kubevirt/disks-images-provider:v1.2.2 imagePullPolicy: Always lifecycle: preStop: diff --git a/kubevirt-1.1.1.tar.gz b/kubevirt-1.1.1.tar.gz deleted file mode 100644 index c5737b1..0000000 --- a/kubevirt-1.1.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:da1fc9f836684d3cd97b4d1b2815589edcdfa5ebb6a198c11722dabe7606aa7b -size 16294545 diff --git a/kubevirt-1.2.2.tar.gz b/kubevirt-1.2.2.tar.gz new file mode 100644 index 0000000..2ed304c --- /dev/null +++ b/kubevirt-1.2.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:899afbef0d4dac04d0b6607c2aff9f92ae843830d0864935cfed41819d5da36b +size 17111049 diff --git a/kubevirt.changes b/kubevirt.changes index 7fa0d39..abbcaf2 100644 --- a/kubevirt.changes +++ b/kubevirt.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Wed Jul 31 06:57:29 UTC 2024 - Vasily Ulyanov + +- Use the images based on SLE15 SP6 BCI: 1.2.2-150600.5.6.1 + +------------------------------------------------------------------- +Mon Jul 8 07:13:03 UTC 2024 - Vasily Ulyanov + +- Update to version 1.2.2 + Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.2 + Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.1 + Release notes https://github.com/kubevirt/kubevirt/releases/tag/v1.2.0 +- Drop patches + 0001-tests-Adapt-VM-phase-expectation.patch + 0002-Update-tls-error-string-in-migration-test.patch + 0003-tests-Expect-PendingPopulation-phase.patch + 0004-Improve-the-handling-of-ordinal-pod-interface-name-for-upgrade.patch + 0005-Collect-component-Role-rules-under-operator-Role-ins.patch +- Add patch + 0001-Collect-component-Role-rules-under-operator-Role-ins.patch +- Pack configuration files for libvirt + +------------------------------------------------------------------- +Thu Jun 20 13:48:18 UTC 2024 - Vasily Ulyanov + +- Collect component Role rules under operator Role instead of + ClusterRole (bsc#1223965, CVE-2024-33394) + 0005-Collect-component-Role-rules-under-operator-Role-ins.patch + +------------------------------------------------------------------- +Fri Apr 12 05:51:30 UTC 2024 - Vasily Ulyanov + +- Improve the OrdinalPodInterfaceName mechanism (bsc#1222699) + 0004-Improve-the-handling-of-ordinal-pod-interface-name-for-upgrade.patch + +------------------------------------------------------------------- +Wed Apr 3 11:55:41 UTC 2024 - Vasily Ulyanov + +- Fix test of secure migration with TLS (bsc#1221431) + 0002-Update-tls-error-string-in-migration-test.patch +- Fix volume phase condition in migration test (bsc#1221430) + 0003-tests-Expect-PendingPopulation-phase.patch + ------------------------------------------------------------------- Mon Feb 12 08:48:49 UTC 2024 - Vasily Ulyanov diff --git a/kubevirt.spec b/kubevirt.spec index cb44cbe..d7aede0 100644 --- a/kubevirt.spec +++ b/kubevirt.spec @@ -30,7 +30,7 @@ %endif Name: kubevirt -Version: 1.1.1 +Version: 1.2.2 Release: 0 Summary: Container native virtualization License: Apache-2.0 @@ -41,13 +41,13 @@ Source1: kubevirt_containers_meta Source2: kubevirt_containers_meta.service Source3: %{url}/releases/download/v%{version}/disks-images-provider.yaml Source100: %{name}-rpmlintrc -Patch1: 0001-tests-Adapt-VM-phase-expectation.patch +Patch1: 0001-Collect-component-Role-rules-under-operator-Role-ins.patch BuildRequires: glibc-devel-static BuildRequires: golang-packaging BuildRequires: pkgconfig BuildRequires: rsync BuildRequires: sed -BuildRequires: golang(API) >= 1.19 +BuildRequires: golang(API) >= 1.21 BuildRequires: pkgconfig(libvirt) ExclusiveArch: %{_exclusive_arch} @@ -247,10 +247,10 @@ build_tests="true" \ cmd/virtctl \ %{nil} -# Note: the generated manifests will point to the images based on SLE15 SP5 BCI. +# Note: the generated manifests will point to the images based on SLE15 SP6 BCI. env \ -DOCKER_PREFIX=registry.suse.com/suse/sles/15.5 \ -DOCKER_TAG=1.1.1-150500.8.9.1 \ +DOCKER_PREFIX=registry.suse.com/suse/sles/15.6 \ +DOCKER_TAG=1.2.2-150600.5.6.1 \ KUBEVIRT_NO_BAZEL=true \ ./hack/build-manifests.sh @@ -285,6 +285,11 @@ install -p -m 0644 cmd/virt-handler/virt_launcher.cil %{buildroot}%{_datadir}/ku mkdir -p %{buildroot}%{_datadir}/kube-virt/pr-helper install -p -m 0644 cmd/pr-helper/multipath.conf %{buildroot}%{_datadir}/kube-virt/pr-helper/ +# Configuration files for libvirt +mkdir -p %{buildroot}%{_datadir}/kube-virt/virt-launcher +install -p -m 0644 cmd/virt-launcher/virtqemud.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher +install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt/virt-launcher + # Install release manifests mkdir -p %{buildroot}%{_datadir}/kube-virt/manifests/release install -m 0644 _out/manifests/release/kubevirt-operator.yaml %{buildroot}%{_datadir}/kube-virt/manifests/release/ @@ -345,12 +350,15 @@ install -m 0644 %{S:2} %{buildroot}%{_prefix}/lib/obs/service %files virt-launcher %license LICENSE %doc README.md +%dir %{_datadir}/kube-virt +%dir %{_datadir}/kube-virt/virt-launcher %{_bindir}/virt-launcher %{_bindir}/virt-launcher-monitor %{_bindir}/virt-freezer %{_bindir}/virt-probe %{_bindir}/virt-tail %{_bindir}/node-labeller.sh +%{_datadir}/kube-virt/virt-launcher %files virt-operator %license LICENSE