Bug 1746149
Summary: | oc tag not generating error for insufficient permissions. | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | coberry |
Component: | ImageStreams | Assignee: | Oleg Bulatov <obulatov> |
Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.11.0 | CC: | adam.kaplan, alec, aos-bugs, jokerman, rbost, steven.barre, wzheng |
Target Milestone: | --- | ||
Target Release: | 4.4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: oc tag didn't update imagestreams when imagestreamtags are unaccessible.
Consequence: oc tag says that the new tag is created, but it doesn't.
Fix: update imagestream
Result: oc tag really creates the tag even if there are no permissions for imagestreamtag api.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-04 11:13:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
coberry
2019-08-27 18:47:23 UTC
Could reproduce this bug follow the steps in comment #0 in 4.4.0-0.nightly-2020-02-17-192940 cluster. $ oc version Client Version: 4.4.0-0.nightly-2020-02-18-005549 Kubernetes Version: v1.17.1 $ oc tag test-img:latest test-img:v1 Tag test-img:v1 set to test-img@sha256:d3c2bbd140aa9613cb6cd737adaa4c66be451569fc10180d2d44ee34625b53d1. $ oc --loglevel=10 tag test-img:latest test-img:v1 I0218 13:52:24.115847 10533 request.go:1017] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"imagestreamtags.image.openshift.io \"test-img:v1\" is forbidden: User \"system:serviceaccount:imgtest:tag-bug-sa\" cannot update resource \"imagestreamtags\" in API group \"image.openshift.io\" in the namespace \"imgtest\"","reason":"Forbidden","details":{"name":"test-img:v1","group":"image.openshift.io","kind":"imagestreamtags"},"code":403} That's OK to have this error in the log. When you don't have permissions to use imagestreamtags, oc should fallback to imagestreams. To verify this BZ, you should see two tags in the image stream after the last command. Check oc client 4.4.0-0.nightly-2020-02-18-164016 with 4.4.0-0.nightly-2020-02-18-164016 server $oc whoami system:serviceaccount:imgtest:tag-bug-sa $oc tag test-img:latest test-img:v1 Tag test-img:v1 set to test-img@sha256:d3c2bbd140aa9613cb6cd737adaa4c66be451569fc10180d2d44ee34625b53d1. $oc get istag NAME IMAGE REFERENCE UPDATED test-img:latest registry.access.redhat.com/rhel7@sha256:d3c2bbd140aa9613cb6cd737adaa4c66be451569fc10180d2d44ee34625b53d1 5 minutes ago test-img:v1 registry.access.redhat.com/rhel7@sha256:d3c2bbd140aa9613cb6cd737adaa4c66be451569fc10180d2d44ee34625b53d1 7 seconds ago Thanks for the explain, Oleg. I could see two imagestreamtags in the last cmd, and I saw the details in the cmd log, after istag getting forbidden, api switchs to check the imagestreams. http://pastebin.test.redhat.com/837206 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |