Bug 1362489

Summary: Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)
Product: OpenShift Container Platform Reporter: Miheer Salunke <misalunk>
Component: Image RegistryAssignee: David Eads <deads>
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.0CC: aos-bugs, ccoleman, deads, jokerman, mmccomas, tdawson, wsun
Target Milestone: ---Keywords: NeedsTestCase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-27 09:42:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miheer Salunke 2016-08-02 11:03:45 UTC 
1. Proposed title of this feature request  
Make imagestream tag immutable.


3. What is the nature and description of the request?  

we are trying to make image stream tag immutable. 


A developer a is 
- allowed to create imagestreams.
- allowed to create new imagestream tags (oc tag ns/is:oldtag ns/is:newtag)
- denied to update imagestream tag (oc tag ns/is:othertag ns/is:newtag)
- denied to delete imagestream
- denied to delete imagestream tags

We try to create a cluster role that reflects this. This is our design:

apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: devops
  resourceVersion: "2"
rules:
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams
  - imagestreamimages
  - imagestreammappings
  - imagestreamtags
  verbs:
  - create
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - buildconfigs
  - buildconfigs/instantiate
  - buildconfigs/instantiatebinary
  - buildconfigs/webhooks
  - buildlogs
  - builds
  - builds/clone
  - builds/custom
  - builds/docker
  - builds/log
  - builds/source
  - deploymentconfigrollbacks
  - deploymentconfigs
  - deploymentconfigs/log
  - deploymentconfigs/scale
  - deployments
  - endpoints
  - generatedeploymentconfigs
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - pods/log
  - pods/portforward
  - pods/proxy
  - processedtemplates
  - replicationcontrollers
  - routes
  - secrets
  - serviceaccounts
  - services
  - templateconfigs
  - templates
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  attributeRestrictions: null
  resources:
  - horizontalpodautoscalers
  - jobs
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - bindings
  - endpoints
  - events
  - imagestreams/status
  - limitranges
  - minions
  - namespaces
  - namespaces/status
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  - pods/log
  - pods/status
  - projects
  - replicationcontrollers
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - resourcequotausages
  - routes/status
  - securitycontextconstraints
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams/layers
  verbs:
  - get
  - update

Unfortunately, developers can now create any new tags more. How to depict this concept right technically Open Shift?


7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
https://github.com/openshift/origin/pull/8497
    
10. List any affected packages or components.
api, cli.
Comment 5 David Eads 2016-08-05 12:08:52 UTC 
https://github.com/openshift/origin/pull/8497 merged.  This should now be possible by removing update,patch,delete imagestreams,imagestreamtags .  You can then tag by creating imagestreamtags.  You may have to shutdown imagestreamimports too.
Comment 6 weiwei jiang 2016-08-10 08:23:39 UTC 
(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

When I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"
Comment 7 weiwei jiang 2016-08-10 08:24:40 UTC 
(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

Checked with 
# openshift version 
openshift v3.3.0.17
kubernetes v1.3.0+507d3a7
etcd 2.3.0+git

And when I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"
Comment 8 David Eads 2016-08-10 11:44:28 UTC 
This change allows someone to create a role that prohibits a user from updating an istag or updating an imagestream.  That doesn't happen out of the box.

As a cluster-admin, you can `oc edit clusterrole/edit`.  You can then remove the normal, "imagestreams" and "imagestreamtags" permissions and create a new policy rule that allows get, list, watch, create, delete, deletecollection on those resources.  After you do that, you can add an editor to a project and that user shouldn't be able to `oc tag` an istag that already exists.
Comment 9 weiwei jiang 2016-08-11 10:06:20 UTC 
Checked with devenv-rhel7_4805, and now we can control if a user can do specific operation on the imagestreams and imagestreamtags.
Comment 11 errata-xmlrpc 2016-09-27 09:42:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933