Bug 1713389
Summary: | Cannot block registries to deploy pods if using whitelist for image policy (registrySources / allowedRegistries) | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Vadim Zharov <vzharov> |
Component: | Containers | Assignee: | Urvashi Mohnani <umohnani> |
Status: | CLOSED ERRATA | QA Contact: | weiwei jiang <wjiang> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.1.0 | CC: | aos-bugs, bparees, clasohm, dwalsh, eparis, gblomqui, jialiu, jokerman, mmccomas, mpatel, pweil, wzheng, xtian |
Target Milestone: | --- | ||
Target Release: | 4.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-16 06:29:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vadim Zharov
2019-05-23 14:21:15 UTC
Made mistake - Actual result - pod was started ContainerRuntimeConfig doesn't support allow registries; it only supports blocking registries today. We will add this in the next release. PR is currently open at https://github.com/openshift/machine-config-operator/pull/803. I plan to go through the comments and get it patched up and merged in this week. https://github.com/openshift/machine-config-operator/pull/803 got in. Should be available for testing by tomorrow. // AllowedRegistries scenario: ➜ ~ oc get images.config.openshift.io -o yaml apiVersion: v1 items: - apiVersion: config.openshift.io/v1 kind: Image metadata: annotations: release.openshift.io/create-only: "true" creationTimestamp: "2019-09-11T07:09:19Z" generation: 2 name: cluster resourceVersion: "17064" selfLink: /apis/config.openshift.io/v1/images/cluster uid: 12ee94d8-d463-11e9-9344-02dc5ed3e938 spec: registrySources: allowedRegistries: - brewregistry.stage.redhat.io - cloud.openshift.com - registry.access.redhat.com - quay.io - registry.connect.redhat.com - registry.redhat.io - registry.svc.ci.openshift.org ➜ ~ oc describe pods h-1-mrrrw Name: h-1-mrrrw Namespace: default Priority: 0 PriorityClassName: <none> Node: ip-10-0-137-72.us-east-2.compute.internal/10.0.137.72 Start Time: Wed, 11 Sep 2019 16:33:29 +0800 Labels: deployment=h-1 deploymentconfig=h run=h Annotations: openshift.io/deployment-config.latest-version: 1 openshift.io/deployment-config.name: h openshift.io/deployment.name: h-1 Status: Pending IP: 10.128.2.35 Controlled By: ReplicationController/h-1 Containers: h: Container ID: Image: docker.io/openshift/hello-openshift Image ID: Port: <none> Host Port: <none> State: Waiting Reason: ErrImagePull Ready: False Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-w2vdb (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: default-token-w2vdb: Type: Secret (a volume populated by a Secret) SecretName: default-token-w2vdb Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 12s default-scheduler Successfully assigned default/h-1-mrrrw to ip-10-0-137-72.us-east-2.compute.internal Normal Pulling 10s kubelet, ip-10-0-137-72.us-east-2.compute.internal Pulling image "docker.io/openshift/hello-openshift" Warning Failed 9s kubelet, ip-10-0-137-72.us-east-2.compute.internal Failed to pull image "docker.io/openshift/hello-openshift": rpc error: code = Unknown desc = Source image rejected: Running image docker://openshift/hello-openshift:latest is rejected by policy. Warning Failed 9s kubelet, ip-10-0-137-72.us-east-2.compute.internal Error: ErrImagePull Normal BackOff 8s kubelet, ip-10-0-137-72.us-east-2.compute.internal Back-off pulling image "docker.io/openshift/hello-openshift" Warning Failed 8s kubelet, ip-10-0-137-72.us-east-2.compute.internal Error: ImagePullBackOff // BlockedRegistries scenario: ➜ ~ oc get images.config.openshift.io -o yaml apiVersion: v1 items: - apiVersion: config.openshift.io/v1 kind: Image metadata: annotations: release.openshift.io/create-only: "true" creationTimestamp: "2019-09-11T07:09:19Z" generation: 3 name: cluster resourceVersion: "38942" selfLink: /apis/config.openshift.io/v1/images/cluster uid: 12ee94d8-d463-11e9-9344-02dc5ed3e938 spec: registrySources: blockedRegistries: - docker.io ➜ ~ oc describe pods h-1-fslbs Name: h-1-fslbs Namespace: default Priority: 0 PriorityClassName: <none> Node: ip-10-0-150-250.us-east-2.compute.internal/10.0.150.250 Start Time: Wed, 11 Sep 2019 17:26:42 +0800 Labels: deployment=h-1 deploymentconfig=h run=h Annotations: openshift.io/deployment-config.latest-version: 1 openshift.io/deployment-config.name: h openshift.io/deployment.name: h-1 Status: Pending IP: 10.131.0.50 Controlled By: ReplicationController/h-1 Containers: h: Container ID: Image: docker.io/openshift/hello-openshift Image ID: Port: <none> Host Port: <none> State: Waiting Reason: ImageInspectError Ready: False Restart Count: 0 Environment: <none> Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-w2vdb (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: default-token-w2vdb: Type: Secret (a volume populated by a Secret) SecretName: default-token-w2vdb Optional: false QoS Class: BestEffort Node-Selectors: <none> Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 8s default-scheduler Successfully assigned default/h-1-fslbs to ip-10-0-150-250.us-east-2.compute.internal Warning InspectFailed 5s (x2 over 6s) kubelet, ip-10-0-150-250.us-east-2.compute.internal Failed to inspect image "docker.io/openshift/hello-openshift": rpc error: code = Unknown desc = cannot use "docker.io/openshift/hello-openshift:latest" because it's blocked Warning Failed 5s (x2 over 6s) kubelet, ip-10-0-150-250.us-east-2.compute.internal Error: ImageInspectError Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |