Description of problem: Image policy is denying images due to a change is made to a rule that should not effect these images. Just changing this policy openshift.io/ImagePolicy: configuration: apiVersion: v1 executionRules: - matchImageAnnotations: - key: images.openshift.io/deny-execution value: 'true' name: execution-denied onResources: - resource: pods - resource: builds reject: true # Change to false skipOnResolutionFailure: true kind: ImagePolicyConfig Any pod created from containers that are not in our registry fail with the following event: The Pod "" is invalid: spec.containers[0].image: Forbidden: this image is prohibited by policy: only images imported into the registry are allowed (rhel7/rhel-tools) Version-Release number of selected component (if applicable): 3.7 How reproducible: 100% Steps to Reproduce: 1. Make change to the default imagepolicy in place, change reject to false. - Reason for this change is due to openscap marking all image with the annotation "images.openshift.io/deny-execution" as a workaround we do not want to reject this. 2. Restart masters 3. Deploy new image to test ``` # oc create -f - <<EOF apiVersion: v1 kind: Pod metadata: name: sleep-test-pod spec: containers: - name: sleep-test-container image: rhel7/rhel-tools command: [ "/bin/bash", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] restartPolicy: Never EOF Actual results: The Pod "" is invalid: spec.containers[0].image: Forbidden: this image is prohibited by policy: only images imported into the registry are allowed (rhel7/rhel-tools) Expected results: Run this pod as the image policy should not have anything to do with this image. Workaround: Either remove the policy all together or keep reject = true
This is working as designed: https://docs.openshift.org/latest/admin_guide/image_policy.html#image-policy-configuring-the-image-policy-admission-plug-in "Array of rules to evaluate against incoming resources. If you only have reject==true rules, the default is allow all. If you have any accept rule, the default is deny all."
Very confusing reopening as a DOCs bug to better highlight this. https://docs.openshift.org/latest/admin_guide/image_policy.html#image-policy-configuring-the-image-policy-admission-plug-in DOCUMENTATION BUG: Highlight that the default behaviour of the ImagePolicy switches to deny-all if ONE rule sets reject to false.
The entire section, "Configuring the ImagePolicy Admission Plug-in", needs to be beefed up with more explanation on the various options and how they may interact. As it stands now, it goes immediately to an example but it needs an in-depth upfront section ahead of the example.
Tracking this in https://github.com/openshift/openshift-docs/pull/10093 @Ryan Can you please check the PR, I have tried to dig it a bit. This of this as a draft, If you can provide me with more example and use cases I can add those as well.
LGTM The following addition covers what this bug was requesting. ~~ Array of rules to evaluate against incoming resources. If you only have `reject: true` rules, the default is *allow all*. If you have any accept rule, that is `reject: false` in any of the rules, the default behaviour of the ImagePolicy switches to deny-all. ~~~
Thanks @Ryan
Verified PR look good to me
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/ecbc179f9663b27cfebff2dda8aadfe4be9c5225 Merge pull request #10093 from gaurav-nelson/bug1565247-fixes added explanation and examples for imagepolicy admission plugin
Updates are live at https://docs.openshift.org/latest/admin_guide/image_policy.html#image-policy-configuring-the-image-policy-admission-plug-in