Bug 1679602

Summary: admission plugins still seeing legacy resources
Product: OpenShift Container Platform Reporter: Ben Parees <bparees>
Component: ImageStreamsAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.0CC: aos-bugs, jokerman, mfojtik, mmccomas, sponnaga, wzheng, xxia
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:44:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Parees 2019-02-21 14:25:04 UTC 
Description of problem:
The image admission plugin is seeing build resources as being in the legacy group when a build object is created.


Version-Release number of selected component (if applicable):
4.0


How reproducible:
Always

Steps to Reproduce:
1.  Add debug to the image admission policy plugin to print out the group resources it sees:  https://github.com/openshift/origin/blob/128155db2ed199d6045aafcf5377fce4b8f57036/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go#L234


2.  Create a build resource using group apis:

apiVersion: build.openshift.io/v1
kind: Build
metadata:
  name: testbuild2
spec:
  nodeSelector: null
  output:
    pushSecret:
      name: builder-dockercfg-qprbs
    to:
      kind: ImageStreamTag
      name: nodejs-ex:latest
  postCommit: {}
  resources: {}
  serviceAccount: builder
  source:
    git:
      uri: https://github.com/openshift/nodejs-ex
    type: Git
  strategy:
    sourceStrategy:
      from:
        kind: DockerImage
        name: invalid:tag
      pullSecret:
        name: builder-dockercfg-qprbs
    type: Source



3.  Look at the group resource observed by the admission plugin, it will be the legacy group, not build.openshift.io.


Actual results:
legacy group resource

Expected results:
groupified group resource
Comment 1 Ben Parees 2019-02-21 14:26:25 UTC 
some discussion here also:
https://github.com/openshift/origin/pull/21950#discussion_r258489717
Comment 2 Michal Fojtik 2019-03-12 13:33:36 UTC 
Fix: https://github.com/openshift/origin/pull/22297
Comment 9 Ben Parees 2019-03-27 21:35:11 UTC 
(Adam, if the admission plugin is ignore the build resource because it's still coming in as a legacy resource, not a group resource type, then you can send this back to the master team).
Comment 10 Oleg Bulatov 2019-04-01 13:27:53 UTC 
$ oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy"
I0401 13:25:18.625784       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/
I0401 13:25:18.637421       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/
I0401 13:25:18.764608       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:18.764904       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:30.563070       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:30.564658       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
...
Comment 11 XiuJuan Wang 2019-04-02 08:28:29 UTC 
Verified this image with 4.0.0-0.nightly-2019-03-28-030453 build
$  oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy"
I0402 08:26:13.181984       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/
I0402 08:26:13.191893       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/
I0402 08:26:13.369946       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
I0402 08:26:13.372087       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
I0402 08:26:13.380921       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
Comment 13 errata-xmlrpc 2019-06-04 10:44:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758