Bug 1362489 – Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1362489 - Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)

Summary:	Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry (Show other bugs)
Sub Component:
Version:	3.2.0
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	David Eads
QA Contact:	weiwei jiang
Docs Contact:

URL:
Whiteboard:
Keywords:	NeedsTestCase

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-08-02 07:03 EDT by Miheer Salunke
Modified:	2016-10-30 18:55 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-27 05:42:14 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1933	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.3 Release Advisory	2016-09-27 09:24:36 EDT

Groups: None (edit)

Description Miheer Salunke 2016-08-02 07:03:45 EDT

1. Proposed title of this feature request  
Make imagestream tag immutable.


3. What is the nature and description of the request?  

we are trying to make image stream tag immutable. 


A developer a is 
- allowed to create imagestreams.
- allowed to create new imagestream tags (oc tag ns/is:oldtag ns/is:newtag)
- denied to update imagestream tag (oc tag ns/is:othertag ns/is:newtag)
- denied to delete imagestream
- denied to delete imagestream tags

We try to create a cluster role that reflects this. This is our design:

apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: devops
  resourceVersion: "2"
rules:
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams
  - imagestreamimages
  - imagestreammappings
  - imagestreamtags
  verbs:
  - create
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - buildconfigs
  - buildconfigs/instantiate
  - buildconfigs/instantiatebinary
  - buildconfigs/webhooks
  - buildlogs
  - builds
  - builds/clone
  - builds/custom
  - builds/docker
  - builds/log
  - builds/source
  - deploymentconfigrollbacks
  - deploymentconfigs
  - deploymentconfigs/log
  - deploymentconfigs/scale
  - deployments
  - endpoints
  - generatedeploymentconfigs
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - pods/log
  - pods/portforward
  - pods/proxy
  - processedtemplates
  - replicationcontrollers
  - routes
  - secrets
  - serviceaccounts
  - services
  - templateconfigs
  - templates
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  attributeRestrictions: null
  resources:
  - horizontalpodautoscalers
  - jobs
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - bindings
  - endpoints
  - events
  - imagestreams/status
  - limitranges
  - minions
  - namespaces
  - namespaces/status
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  - pods/log
  - pods/status
  - projects
  - replicationcontrollers
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - resourcequotausages
  - routes/status
  - securitycontextconstraints
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams/layers
  verbs:
  - get
  - update

Unfortunately, developers can now create any new tags more. How to depict this concept right technically Open Shift?


7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
https://github.com/openshift/origin/pull/8497
    
10. List any affected packages or components.
api, cli.

Comment 5 David Eads 2016-08-05 08:08:52 EDT

https://github.com/openshift/origin/pull/8497 merged.  This should now be possible by removing update,patch,delete imagestreams,imagestreamtags .  You can then tag by creating imagestreamtags.  You may have to shutdown imagestreamimports too.

Comment 6 weiwei jiang 2016-08-10 04:23:39 EDT

(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

When I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"

Comment 7 weiwei jiang 2016-08-10 04:24:40 EDT

(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

Checked with 
# openshift version 
openshift v3.3.0.17
kubernetes v1.3.0+507d3a7
etcd 2.3.0+git

And when I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"

Comment 8 David Eads 2016-08-10 07:44:28 EDT

This change allows someone to create a role that prohibits a user from updating an istag or updating an imagestream.  That doesn't happen out of the box.

As a cluster-admin, you can `oc edit clusterrole/edit`.  You can then remove the normal, "imagestreams" and "imagestreamtags" permissions and create a new policy rule that allows get, list, watch, create, delete, deletecollection on those resources.  After you do that, you can add an editor to a project and that user shouldn't be able to `oc tag` an istag that already exists.

Comment 9 weiwei jiang 2016-08-11 06:06:20 EDT

Checked with devenv-rhel7_4805, and now we can control if a user can do specific operation on the imagestreams and imagestreamtags.

Comment 11 errata-xmlrpc 2016-09-27 05:42:14 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933

Note You need to log in before you can comment on or make changes to this bug.