1. Proposed title of this feature request Make imagestream tag immutable. 3. What is the nature and description of the request? we are trying to make image stream tag immutable. A developer a is - allowed to create imagestreams. - allowed to create new imagestream tags (oc tag ns/is:oldtag ns/is:newtag) - denied to update imagestream tag (oc tag ns/is:othertag ns/is:newtag) - denied to delete imagestream - denied to delete imagestream tags We try to create a cluster role that reflects this. This is our design: apiVersion: v1 kind: ClusterRole metadata: creationTimestamp: null name: devops resourceVersion: "2" rules: - apiGroups: null attributeRestrictions: null resources: - imagestreams - imagestreamimages - imagestreammappings - imagestreamtags verbs: - create - get - list - watch - apiGroups: null attributeRestrictions: null resources: - buildconfigs - buildconfigs/instantiate - buildconfigs/instantiatebinary - buildconfigs/webhooks - buildlogs - builds - builds/clone - builds/custom - builds/docker - builds/log - builds/source - deploymentconfigrollbacks - deploymentconfigs - deploymentconfigs/log - deploymentconfigs/scale - deployments - endpoints - generatedeploymentconfigs - persistentvolumeclaims - pods - pods/attach - pods/exec - pods/log - pods/portforward - pods/proxy - processedtemplates - replicationcontrollers - routes - secrets - serviceaccounts - services - templateconfigs - templates verbs: - create - delete - get - list - patch - update - watch - apiGroups: - extensions attributeRestrictions: null resources: - horizontalpodautoscalers - jobs - replicationcontrollers/scale verbs: - create - delete - get - list - patch - update - watch - apiGroups: null attributeRestrictions: null resources: - bindings - endpoints - events - imagestreams/status - limitranges - minions - namespaces - namespaces/status - nodes - persistentvolumeclaims - persistentvolumes - pods - pods/log - pods/status - projects - replicationcontrollers - replicationcontrollers/status - resourcequotas - resourcequotas/status - resourcequotausages - routes/status - securitycontextconstraints - serviceaccounts - services verbs: - get - list - watch - apiGroups: null attributeRestrictions: null resources: - imagestreams/layers verbs: - get - update Unfortunately, developers can now create any new tags more. How to depict this concept right technically Open Shift? 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? https://github.com/openshift/origin/pull/8497 10. List any affected packages or components. api, cli.
https://github.com/openshift/origin/pull/8497 merged. This should now be possible by removing update,patch,delete imagestreams,imagestreamtags . You can then tag by creating imagestreamtags. You may have to shutdown imagestreamimports too.
(In reply to David Eads from comment #5) > https://github.com/openshift/origin/pull/8497 merged. This should now be > possible by removing update,patch,delete imagestreams,imagestreamtags . You > can then tag by creating imagestreamtags. You may have to shutdown > imagestreamimports too. When I try to update an imagestreamtag, always met # oc edit istag hello-openshift:latestt A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml" error: unable to find api field in struct RawExtension for the json field "ContainerConfig"
(In reply to David Eads from comment #5) > https://github.com/openshift/origin/pull/8497 merged. This should now be > possible by removing update,patch,delete imagestreams,imagestreamtags . You > can then tag by creating imagestreamtags. You may have to shutdown > imagestreamimports too. Checked with # openshift version openshift v3.3.0.17 kubernetes v1.3.0+507d3a7 etcd 2.3.0+git And when I try to update an imagestreamtag, always met # oc edit istag hello-openshift:latestt A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml" error: unable to find api field in struct RawExtension for the json field "ContainerConfig"
This change allows someone to create a role that prohibits a user from updating an istag or updating an imagestream. That doesn't happen out of the box. As a cluster-admin, you can `oc edit clusterrole/edit`. You can then remove the normal, "imagestreams" and "imagestreamtags" permissions and create a new policy rule that allows get, list, watch, create, delete, deletecollection on those resources. After you do that, you can add an editor to a project and that user shouldn't be able to `oc tag` an istag that already exists.
Checked with devenv-rhel7_4805, and now we can control if a user can do specific operation on the imagestreams and imagestreamtags.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933