Skip to content

Known Issues

1. Forklift OS Detection Bug

Status: Not yet filed upstream

Repo: kubev2v/forklift

Forklift reads summary.guest.guestId (reported by VMware Tools at runtime) instead of config.guestId (configured by the admin in vSphere). When VMware Tools is not running or not installed, vSphere reports otherGuest64 regardless of the actual guest OS.

Impact: Cosmetic. The forklift-vsphere-osmap ConfigMap maps the wrong guest ID to KubeVirt preferences, but virt-v2v performs its own disk inspection and correctly identifies the OS during conversion.

Workaround: None needed for functionality. If correct preferences matter, manually edit the VirtualMachine resource after migration.

2. SecureBoot / SMM Feature Gate

VMs with EFI SecureBoot fail migration

VMs that have EFI SecureBoot enabled in vSphere will fail to migrate (or fail to boot after migration) if the SMM (System Management Mode) feature gate is not enabled in KubeVirt.

Fix: Add SMM to additionalFeatureGates in the VMO pack values:

additionalFeatureGates:
  - SMM

3. virt-launcher Version Skew on Upgrade

Live migration fails after KubeVirt upgrade

When KubeVirt is upgraded (especially skipping minor versions), existing VMs continue running with the old virt-launcher image. Attempting to live migrate these VMs fails with client socket is closed errors because the source and target virt-launcher pods are running different versions.

Detection:

```bash copy kubectl get vmi -l kubevirt.io/outdatedLauncherImage --all-namespaces 

**Fix:** Restart affected VMs to pick up the new `virt-launcher` version:

```bash copy
virtctl restart <vm-name> -n <namespace>

Warning

This causes brief downtime for each VM. Schedule restarts during a maintenance window.

4. Kubeconfig Token Expiry

Authentication errors with downloaded kubeconfigs

Palette proxy kubeconfigs use tokens that expire regularly. Commands will fail with Unauthorized or 403 errors when the token expires.

Fix: Download a fresh kubeconfig from the Palette UI.

5. Docker Hub Rate Limiting

Image pull failures from docker.io

Images pulled from docker.io may fail with 429 Too Many Requests errors due to Docker Hub rate limiting, especially on clusters with many nodes pulling images simultaneously.

Workaround: Use quay.io alternatives when available. For critical images, consider setting up a local registry mirror.

6. Cohesity Backup Does Not Support Upstream KubeVirt

Backup gap for KubeVirt VMs

Cohesity does not support upstream KubeVirt. It only supports OpenShift Virtualization (version 7.2.2 and later). This means Cohesity cannot back up VMs running on Palette's VMO (which uses upstream KubeVirt).

Alternative strategies:

  • Portworx snapshots and CloudSnaps for volume-level backup.
  • Velero with CSI snapshots for namespace-level backup.
  • Export VM disks manually with virtctl image-upload / virtctl image-download.
  • Application-level backup agents inside the guest OS.

7. 1Password CLI Auth Mode Conflict

Service account mode vs interactive mode

When the OP_SERVICE_ACCOUNT_TOKEN environment variable is set, the op CLI uses service account mode, which has limited vault access compared to interactive mode.

Workaround for interactive use:

```bash copy OP_SERVICE_ACCOUNT_TOKEN="" op item list --vault "k8s vault" --account my 

Or prefix individual commands:

```bash copy
OP_SERVICE_ACCOUNT_TOKEN="" op read "op://k8s vault/Mouser Palette API Key/password" --account my