Bug 1362489 - Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)
Summary: Make imagestream tag immutable.(https://github.com/openshift/origin/pull/8497)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: David Eads
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 11:03 UTC by Miheer Salunke
Modified: 2016-10-30 22:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-27 09:42:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description Miheer Salunke 2016-08-02 11:03:45 UTC
1. Proposed title of this feature request  
Make imagestream tag immutable.


3. What is the nature and description of the request?  

we are trying to make image stream tag immutable. 


A developer a is 
- allowed to create imagestreams.
- allowed to create new imagestream tags (oc tag ns/is:oldtag ns/is:newtag)
- denied to update imagestream tag (oc tag ns/is:othertag ns/is:newtag)
- denied to delete imagestream
- denied to delete imagestream tags

We try to create a cluster role that reflects this. This is our design:

apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: devops
  resourceVersion: "2"
rules:
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams
  - imagestreamimages
  - imagestreammappings
  - imagestreamtags
  verbs:
  - create
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - buildconfigs
  - buildconfigs/instantiate
  - buildconfigs/instantiatebinary
  - buildconfigs/webhooks
  - buildlogs
  - builds
  - builds/clone
  - builds/custom
  - builds/docker
  - builds/log
  - builds/source
  - deploymentconfigrollbacks
  - deploymentconfigs
  - deploymentconfigs/log
  - deploymentconfigs/scale
  - deployments
  - endpoints
  - generatedeploymentconfigs
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - pods/log
  - pods/portforward
  - pods/proxy
  - processedtemplates
  - replicationcontrollers
  - routes
  - secrets
  - serviceaccounts
  - services
  - templateconfigs
  - templates
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  attributeRestrictions: null
  resources:
  - horizontalpodautoscalers
  - jobs
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - bindings
  - endpoints
  - events
  - imagestreams/status
  - limitranges
  - minions
  - namespaces
  - namespaces/status
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  - pods/log
  - pods/status
  - projects
  - replicationcontrollers
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - resourcequotausages
  - routes/status
  - securitycontextconstraints
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups: null
  attributeRestrictions: null
  resources:
  - imagestreams/layers
  verbs:
  - get
  - update

Unfortunately, developers can now create any new tags more. How to depict this concept right technically Open Shift?


7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
https://github.com/openshift/origin/pull/8497
    
10. List any affected packages or components.
api, cli.

Comment 5 David Eads 2016-08-05 12:08:52 UTC
https://github.com/openshift/origin/pull/8497 merged.  This should now be possible by removing update,patch,delete imagestreams,imagestreamtags .  You can then tag by creating imagestreamtags.  You may have to shutdown imagestreamimports too.

Comment 6 weiwei jiang 2016-08-10 08:23:39 UTC
(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

When I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"

Comment 7 weiwei jiang 2016-08-10 08:24:40 UTC
(In reply to David Eads from comment #5)
> https://github.com/openshift/origin/pull/8497 merged.  This should now be
> possible by removing update,patch,delete imagestreams,imagestreamtags .  You
> can then tag by creating imagestreamtags.  You may have to shutdown
> imagestreamimports too.

Checked with 
# openshift version 
openshift v3.3.0.17
kubernetes v1.3.0+507d3a7
etcd 2.3.0+git

And when I try to update an imagestreamtag, always met

# oc edit istag hello-openshift:latestt
A copy of your changes has been stored to "/tmp/oc-edit-hd29v.yaml"
error: unable to find api field in struct RawExtension for the json field "ContainerConfig"

Comment 8 David Eads 2016-08-10 11:44:28 UTC
This change allows someone to create a role that prohibits a user from updating an istag or updating an imagestream.  That doesn't happen out of the box.

As a cluster-admin, you can `oc edit clusterrole/edit`.  You can then remove the normal, "imagestreams" and "imagestreamtags" permissions and create a new policy rule that allows get, list, watch, create, delete, deletecollection on those resources.  After you do that, you can add an editor to a project and that user shouldn't be able to `oc tag` an istag that already exists.

Comment 9 weiwei jiang 2016-08-11 10:06:20 UTC
Checked with devenv-rhel7_4805, and now we can control if a user can do specific operation on the imagestreams and imagestreamtags.

Comment 11 errata-xmlrpc 2016-09-27 09:42:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933


Note You need to log in before you can comment on or make changes to this bug.