Bug 1315158

Summary: Oversized imagestream created successfully without code 403 and can't describe for the "Quota Usage"
Product: OKD Reporter: XiaochuanWang <xiaocwan>
Component: Image RegistryAssignee: Maciej Szulik <maszulik>
Status: CLOSED NOTABUG QA Contact: Wei Sun <wsun>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.xCC: aos-bugs, maszulik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-08 06:34:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description XiaochuanWang 2016-03-07 05:55:57 UTC 
Description of problem:
Set quota by cluster-admin and then create a over sized imagestream from client side. Server returns 201. Describe IS from server side doesn't show "Quota Usage" 

Version-Release number of selected component (if applicable):
oc v1.1.3-483-g28cba69
kubernetes v1.2.0-alpha.7-703-gbc4550d

How reproducible:
Always

Steps to Reproduce:
1. Cluster-admin create quota "openshift.io/imagestreamsize": "0.1Gi" for a user's project:
{
  "apiVersion": "v1",
  "kind": "ResourceQuota",
  "metadata": {
    "name": "quota"
  },
  "spec": {
    "hard": {
      "memory": "1Gi", 
      "cpu": "20", 
      "openshift.io/imagesize": "5Gi",
      "openshift.io/imagestreamsize": "0.1Gi",
      "openshift.io/projectimagessize": "40Gi",
      "pods": "10",
      "services": "5",
      "replicationcontrollers":"5",
      "resourcequotas":"1"
    }
  }
}
2. User login from client side, create a over sized imagestream.
i.e. Use https://github.com/openshift/origin/blob/master/examples/sample-app/application-template-stibuild.json
or use docer.io/xiaocwan/python-33-centos7-practice (156 MB) as following:
{
  "apiVersion": "v1",
  "kind": "ImageStreamList",
  "items": [
    {
      "apiVersion": "v1",
      "kind": "ImageStream",
      "metadata": {
        "name": "python"
      },
      "spec": {
        "dockerImageRepository": "xiaocwan/python-33-centos7-practice"
      }
    }
  ]
}
# oc create -f ispython.json

3. On server side, cluster-admin describe is for this project
`oc describe is python -n xiaocwan2-py`

Actual results:
Step2:# oc create -f ispython.json --v=8
I0307 13:20:57.569536    7832 loader.go:242] Config loaded from file /root/.kube/config
I0307 13:20:57.578569    7832 loader.go:242] Config loaded from file /root/.kube/config
I0307 13:20:57.586854    7832 loader.go:242] Config loaded from file /root/.kube/config
I0307 13:20:57.595820    7832 loader.go:242] Config loaded from file /root/.kube/config
I0307 13:20:57.596445    7832 round_trippers.go:264] GET https://ec2-52-90-235-92.compute-1.amazonaws.com:8443/oapi
I0307 13:20:57.596467    7832 round_trippers.go:271] Request Headers:
I0307 13:20:57.596477    7832 round_trippers.go:274]     User-Agent: oc/v1.1.3 (linux/amd64) openshift/cffae05
I0307 13:20:57.596486    7832 round_trippers.go:274]     Authorization: Bearer jlkCruLp5zIi4DxTypQ73xSYaUdG0WXCuIU0Xa1-iJ8
I0307 13:20:58.618295    7832 round_trippers.go:289] Response Status: 200 OK in 1021 milliseconds
I0307 13:20:58.618329    7832 round_trippers.go:292] Response Headers:
I0307 13:20:58.618340    7832 round_trippers.go:295]     Cache-Control: no-store
I0307 13:20:58.618350    7832 round_trippers.go:295]     Content-Type: application/json
I0307 13:20:58.618360    7832 round_trippers.go:295]     Date: Mon, 07 Mar 2016 05:20:58 GMT
I0307 13:20:58.618370    7832 round_trippers.go:295]     Content-Length: 59
I0307 13:20:58.618435    7832 request.go:878] Response Body: {"kind":"APIVersions","apiVersion":"v1","versions":["v1"]}
I0307 13:20:58.619518    7832 decoder.go:141] decoding stream as JSON
I0307 13:20:58.621304    7832 request.go:583] Request Body: {"kind":"ImageStream","apiVersion":"v1","metadata":{"name":"python","namespace":"xiaocwan2-py","creationTimestamp":null},"spec":{"dockerImageRepository":"xiaocwan/python-33-centos7-practice"},"status":{"dockerImageRepository":""}}
I0307 13:20:58.621358    7832 round_trippers.go:264] POST https://ec2-52-90-235-92.compute-1.amazonaws.com:8443/oapi/v1/namespaces/xiaocwan2-py/imagestreams
I0307 13:20:58.621371    7832 round_trippers.go:271] Request Headers:
I0307 13:20:58.621380    7832 round_trippers.go:274]     Authorization: Bearer jlkCruLp5zIi4DxTypQ73xSYaUdG0WXCuIU0Xa1-iJ8
I0307 13:20:58.621389    7832 round_trippers.go:274]     Content-Type: application/json
I0307 13:20:58.621399    7832 round_trippers.go:274]     User-Agent: oc/v1.1.3 (linux/amd64) openshift/cffae05
I0307 13:20:58.876862    7832 round_trippers.go:289] Response Status: 201 Created in 255 milliseconds
I0307 13:20:58.876917    7832 round_trippers.go:292] Response Headers:
I0307 13:20:58.876929    7832 round_trippers.go:295]     Cache-Control: no-store
I0307 13:20:58.876939    7832 round_trippers.go:295]     Content-Type: application/json
I0307 13:20:58.876949    7832 round_trippers.go:295]     Date: Mon, 07 Mar 2016 05:20:58 GMT
I0307 13:20:58.876967    7832 round_trippers.go:295]     Content-Length: 439
I0307 13:20:58.877031    7832 request.go:878] Response Body: {"kind":"ImageStream","apiVersion":"v1","metadata":{"name":"python","namespace":"xiaocwan2-py","selfLink":"/oapi/v1/namespaces/xiaocwan2-py/imagestreams/python","uid":"60244de4-e424-11e5-a2e6-0e51e3080319","resourceVersion":"2092","generation":1,"creationTimestamp":"2016-03-07T05:20:58Z"},"spec":{"dockerImageRepository":"xiaocwan/python-33-centos7-practice"},"status":{"dockerImageRepository":"172.30.125.119:5000/xiaocwan2-py/python"}}
imagestream "python" created

Step3:# oc describe is python -n xiaocwan2-py
Name:            python
Created:        About a minute ago
Labels:            <none>
Annotations:        openshift.io/image.dockerRepositoryCheck=2016-03-07T05:20:59Z
Docker Pull Spec:    172.30.125.119:5000/xiaocwan2-py/python

Tag    Spec                        Created            PullSpec                        Image
latest    xiaocwan/python-33-centos7-practice:latest    About a minute ago    xiaocwan/python-33-centos7-practice@sha256:0f798d06752a94...    <same>
tag1    xiaocwan/python-33-centos7-practice:tag1    About a minute ago    xiaocwan/python-33-centos7-practice@sha256:d3262e492b58ab...    <same>


Expected results:
Step3: Should return error, I believe should return 403.
Step4: If create Is first and then the quota, should have the following described
 "Quota Usage:        0MiB / 156 MiB"

Additional info:
If create over sized IS first and then create quota, the "Quota Usage" could be described which is correct.
Comment 1 XiaochuanWang 2016-03-07 07:08:55 UTC 
From expected result, I mean even though the big IS created, there should be a "Quota Usage" described as "0MiB / 1024 MiB" unless the IS is failed to be created.
Comment 2 Maciej Szulik 2016-03-07 22:25:58 UTC 
First, the quota will show usage if you push images into it (build or docker push). Importing metadata (like you do here) does not increase quota usage.
Secondly, I've just re-tested and oc describe shows proper information about usage, does not matter whether your a regular user or a cluster-admin should be there.
Comment 3 XiaochuanWang 2016-03-08 06:34:39 UTC 
"Quota Usage" could be described in IS on latest origin:
oc v1.1.3-500-g115660e
kubernetes v1.2.0-alpha.7-703-gbc4550d
Also build will be failed if quota exceed.