Bug 1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
Summary: Local Registry Adapter should not display APBs that can't be deployed from a ...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.9.0
Assignee: Shawn Hurley
QA Contact: Zhang Cheng
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-10 18:06 UTC by Dylan Murray
Modified: 2018-06-27 18:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2018-06-27 18:01:30 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2013 None None None 2018-06-27 18:01:53 UTC

Description Dylan Murray 2017-11-10 18:06:57 UTC
Description of problem:
Right now the local registry adapter works well with the 'openshift' namespace because that is a resource shared namespace where any authenticated user has access to the imagestreams within that namespace. We have seen issues when testing on an environment that does not use the 'openshift' namespace because the transient APB service account does not always have the ability to access the images within namespace 'foo'.

Version-Release number of selected component (if applicable):

How reproducible:
100% If the namespace does not grant access to all authenticated users.

Steps to Reproduce:
1. Configure the local registry adapter with namespace: 'foo'.
2. Create namespace 'foo'
3. Be configured in a downstream openshift cluster where permissions for imagestreams are locked down per namespace
4. tag and push APB image to internal registry under namespace 'foo'
5. Try to provision APB

Actual results:
APB gets ErrImgPull errors because it cannot find the images outside of the transient namespace

Expected results:
APB is not displayed in the service catalog for this user

Additional info:
Relevant discussion in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507111

Comment 2 Shawn Hurley 2018-01-02 20:31:53 UTC
Bug has been changed: https://github.com/openshift/ansible-service-broker/pull/607

Comment 5 Dylan Murray 2018-01-18 13:59:24 UTC
Shawn and Zhang,

Yeah this warning should be sufficient. Ideally we revisit this and add some intelligence to check if the images can be pulled from our service account and blacklist images which are not. This at least gives the cluster-admin an idea of what's going wrong so they can open up the images from the target namespace. Hope that helps.

Comment 6 Zhang Cheng 2018-01-19 03:12:55 UTC
Agree if you also think no need to block display clusterserviceclass both in backend and web console at this situation(have warning enough). 

Please move status to ON_QA. Thanks.

Comment 7 Zhang Cheng 2018-01-20 14:31:36 UTC
Base on Comment 3, Comment 5. Changing status to Verified.

Comment 9 errata-xmlrpc 2018-06-27 18:01:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.