Bug 1758014
| Summary: | Users can modify container policies applied to builds (builder pods) | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Vadim Zharov <vzharov> |
| Component: | Build | Assignee: | Ricardo Maraschini <rmarasch> |
| Status: | CLOSED WONTFIX | QA Contact: | wewang <wewang> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.1.z | CC: | aos-bugs, clasohm, pweil, rmarasch, rsawhill, scuppett, wzheng |
| Target Milestone: | --- | ||
| Target Release: | 4.3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-28 09:24:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Users can modify container policies applied to builds (builder pods), - they can overwrite (define) their own security policies to pull images during builds despite defined by cluster administrators. Version-Release number of selected component (if applicable): $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.1.18 True False 3h26m Cluster version is 4.1.18 How reproducible: Always Steps to Reproduce: 1. Configure whitelist of allower registries, without docker.io: $ oc get images.config.openshift.io -o yaml apiVersion: v1 items: - apiVersion: config.openshift.io/v1 kind: Image metadata: annotations: release.openshift.io/create-only: "true" name: cluster spec: allowedRegistriesForImport: - domainName: registry.redhat.io insecure: false - domainName: registry.access.redhat.com insecure: false - domainName: image-registry.openshift-image-registry.svc:5000 insecure: false - domainName: quay.io insecure: false registrySources: allowedRegistries: - registry.redhat.io - registry.access.redhat.com - image-registry.openshift-image-registry.svc:5000 - quay.io status: internalRegistryHostname: image-registry.openshift-image-registry.svc:5000 2. Create build, based on source image from docker.io $ oc new-build --docker-image=docker.io/centos/nodejs-8-centos7 https://github.com/sclorg/nodejs-ex.git Check for errors in output: ... --> Creating resources with label build=nodejs-ex ... error: ImageStream.image.openshift.io "nodejs-8-centos7" is invalid: spec.tags[latest].from.name: Forbidden: registry "docker.io" not allowed by whitelist: "oregistry.redhat.io:443", "registry.access.redhat.com:443", "image-registry.openshift-image-registry.svc:5000", "quay.io" imagestream.image.openshift.io "nodejs-ex" created buildconfig.build.openshift.io "nodejs-ex" created --> Failed Check if buildconfig was created: $ oc get buildconfigs NAME TYPE FROM LATEST nodejs-ex Source Git 0 Check if you cannot start build: $ oc start-build nodejs-ex The ImageStreamTag "nodejs-8-centos7:latest" is invalid: from: Error resolving ImageStreamTag nodejs-8-centos7:latest in namespace vadim-test-02: imagestreams.image.openshift.io "nodejs-8-centos7" not found 3. Modify build config - change source from ImageStream to docker image: $ oc edit bc nodejs-ex .... strategy: sourceStrategy: from: kind: DockerImage name: docker.io/centos/nodejs-8-centos7 ...... 4. Build will start and failed: $ oc get builds NAME TYPE FROM STATUS STARTED DURATION nodejs-ex-1 Source Git@e59fe75 Failed (GenericBuildFailed) About a minute ago 34s $ oc describe build nodejs-ex-1 | grep -A 4 'Log' Log Tail: Caching blobs under "/var/cache/blobs". Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... error: build error: After retrying 2 times, Pull image sti...ker://centos/nodejs-8-centos7:latest is rejected by policy. 5. ConfigMap with policy.json created: $ oc get cm NAME DATA AGE nodejs-ex-1-ca 1 4m34s nodejs-ex-1-sys-config 1 4m34s 6. Save created config map to file and change it content: $ oc get cm nodejs-ex-1-sys-config -o yaml > policy-cm.yaml Change name to nodejs-ex-2-sys-config, change default policy to "insecureAcceptAnything" and remove ownerReferences section: $ cat policy-cm.yaml apiVersion: v1 data: policy.json: '{"default":[{"type":"insecureAcceptAnything"}],"transports":{"atomic":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]},"docker":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]}}}' kind: ConfigMap metadata: name: nodejs-ex-2-sys-config namespace: vadim-test 7. Create ConfigMap based on the file: $ oc create -f policy-cm.yaml configmap/nodejs-ex-2-sys-config created $ oc get cm NAME DATA AGE nodejs-ex-1-ca 1 9m35s nodejs-ex-1-sys-config 1 9m35s nodejs-ex-2-sys-config 1 62s 8. Ensure there is only build #1, start new-build: $ oc get builds NAME TYPE FROM STATUS STARTED DURATION nodejs-ex-1 Source Git@e59fe75 Failed (GenericBuildFailed) 10 minutes ago 34s $ oc start-build nodejs-ex build.build.openshift.io/nodejs-ex-2 started 9. Build will be finished, because builder pod is using CM which was just created (nodejs-ex-2-sys-config): $ oc get builds NAME TYPE FROM STATUS STARTED DURATION nodejs-ex-1 Source Git@e59fe75 Failed (GenericBuildFailed) 8 minutes ago 34s nodejs-ex-2 Source Git@e59fe75 Complete 5 minutes ago 2m11s $ oc describe build nodejs-ex-2 | grep From From Image: DockerImage docker.io/centos/nodejs-8-centos7 Type Reason Age From Message $ oc get pod nodejs-ex-2-build -o jsonpath='{.spec.volumes}' [map[hostPath:map[path:/var/lib/containers/cache type:] name:buildcachedir] map[name:buildworkdir emptyDir:map[]] map[secret:map[secretName:builder-dockercfg-chx8m defaultMode:384] name:builder-dockercfg-chx8m-push] map[name:builder-dockercfg-chx8m-pull secret:map[secretName:builder-dockercfg-chx8m defaultMode:384]] map[configMap:map[name:nodejs-ex-2-sys-config defaultMode:420] name:build-system-configs] map[configMap:map[name:nodejs-ex-2-ca items:[map[key:service-ca.crt path:certs.d/image-registry.openshift-image-registry.svc:5000/ca.crt]] defaultMode:420] name:build-ca-bundles] map[name:container-storage-root emptyDir:map[]] map[emptyDir:map[] name:build-blob-cache] map[name:builder-token-hmp4p secret:map[secretName:builder-token-hmp4p defaultMode:420]]][vadim@vadim oc-bug-build]$ 10. Next build will fail because it will use CM created by Openshift: $ oc start-build nodejs-ex build.build.openshift.io/nodejs-ex-3 started $ oc get builds NAME TYPE FROM STATUS STARTED DURATION nodejs-ex-1 Source Git@e59fe75 Failed (GenericBuildFailed) 9 minutes ago 34s nodejs-ex-2 Source Git@e59fe75 Complete 7 minutes ago 2m11s nodejs-ex-3 Source Git@e59fe75 Failed (OutOfMemoryKilled) 37 seconds ago 35s $ oc describe build nodejs-ex-3 | grep -A 4 'Log' Log Tail: Caching blobs under "/var/cache/blobs". Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... Warning: Pull failed, retrying in 5s ... error: build error: After retrying 2 times, Pull image sti...ker://centos/nodejs-8-centos7:latest is rejected by policy. Actual results: Builds completed despite configured image policies. Users can define their own container policies. Expected results: Builds failed, pull from docker.io rejected due to configured image policy Additional info: