Add a CustomRule checking for VM overcommitGuestOverhead (#846)

yuumasato · web-flow · commit f72ca162233e · 2025-10-30T15:06:43.000-05:00
diff --git a/config/samples/custom-rules/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory.yaml b/config/samples/custom-rules/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory.yaml
@@ -0,0 +1,36 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: CustomRule
+metadata:
+  name: kubevirt-no-vms-overcommitting-guest-memory
+  namespace: openshift-compliance
+spec:
+  title: "VMs Must Not Overcommit Guests Memory"
+  id: kubevirt_no_vms_overcommitting_guest_memory
+  description: |-
+    The overcommitGuestOverhead configuration option enables the request for
+    additional virtual machine management memory inside the virt-launcher pod.
+    The overcommit feature is used to increase virtual machine density on the
+    node, as long as the virtual machine doesn’t request all the memory that it
+    would need if fully loaded. However, if the VM were to use all of the
+    memory it could, this would lead to the OpenShift Scheduler killing the
+    workload.
+  failureReason: |-
+    The '.spec.template.spec.domain.recources.overcommitGuestOverhead' field exists and is
+    set to "true" in the 'VirtualMachineInstance' resource, allowing VMs to
+    overcommit KubeVirt's memory which may lead to guests crashing and
+    interrupting workloads causing malfunctions.
+  severity: Medium
+  checkType: Platform
+  scannerType: CEL
+  inputs:
+    - name: vms
+      kubernetesInputSpec:
+        apiVersion: kubevirt.io/v1
+        resource: VirtualMachine
+  expression: |
+    vms.all(h,
+        !has(h.spec.template.spec.domain.resources) ||
+        !has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) ||
+        (has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) &&
+         h.spec.template.spec.domain.resources.overcommitGuestOverhead == false)
+    )
diff --git a/config/samples/custom-rules/openshift-virtualization/kustomization.yaml b/config/samples/custom-rules/openshift-virtualization/kustomization.yaml
@@ -4,5 +4,6 @@ resources:
   - kubevirt-nonroot-feature-gate-is-enabled.yaml
   - kubevirt-no-permitted-host-devices.yaml
   - kubevirt-persistent-reservation-disabled.yaml
+  - kubevirt-no-vms-overcommiting-guest-memory
   - tailored-profile.yaml
   - scan-setting-binding.yaml
diff --git a/config/samples/custom-rules/openshift-virtualization/tailored-profile.yaml b/config/samples/custom-rules/openshift-virtualization/tailored-profile.yaml
@@ -28,4 +28,12 @@ spec:
         explicitly required. This feature allows VMs to claim exclusive access
         to storage resources, potentially impacting availability and enabling
         resource manipulation outside normal access controls.
+    - kind: CustomRule
+      name: kubevirt-no-vms-overcommiting-guest-memory
+      rationale: |-
+        This is a hypervisor-level feature that allows nodes to host more
+        virtual machines than would normally be allowed by KubeVirt’s
+        scheduling algorithms. If the VM consumes the entire memory might
+        cause the guest to crash with workload interruptions and guest
+        malfunctioning.
   title: Platform checks for OpenShift Virtualization
