Description of problem: The compliance policy is suppose to prevent running an image that fails its test by annotating this image in openshift but this annotation never actually happens. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Scan a non-compliant image with the policy 2. 3. Actual results: No new annotation in openshift for that image Expected results: That specific image should be annotated with "images.openshift.io/deny-execution" Additional info:
This is currently blocked on upstream OpenShift issues: https://trello.com/c/HOWz6ejY https://github.com/kubernetes/kubernetes/issues/31621
This is now working due to parsing changes done in 12711. Code changes present in master, Darga and Euwe. 5.7.0 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1400615 Code change: https://github.com/ManageIQ/manageiq/pull/12711/files#diff-0324981fdb3019ce6d98f9c86d97f2bb Code change Darga: https://github.com/ManageIQ/manageiq/pull/13142 Federico I'm not sure how to handle this since it was already included in 5.7.0. Change version? Move to modified?
Mooli we need a clone for the z-stream (request is already present). Keyword TestOnly so that we know it just requires QE (no patches attached).
Chris I assume this bug needs to move to POST|MODIFIED now (TestOnly, No code changes) and only then we can get the clone? which one is it? (MOVING TO POST for now)
Pavel, Run this on Openshift: oc import-image registry.access.redhat.com/rhscl/s2i-base-rhel7 --confirm Then refresh the ManageIQ provider to see this image there and scan it. Currently this one is non compliant but this might change soon. You could visit registry.access.redhat.com and see all the images.