Bug 1565247 - [DOCS] Setting reject to fasle for image policy cause all image to be rejected if not part of the registry.
Summary: [DOCS] Setting reject to fasle for image policy cause all image to be rejecte...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Gaurav Nelson
QA Contact: Dongbo Yan
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-09 17:54 UTC by Ryan Howe
Modified: 2018-06-28 03:27 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-28 03:27:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Ryan Howe 2018-04-09 17:54:22 UTC
Description of problem:

   Image policy is denying images due to a change is made to a rule that should not effect these images. 
  
Just changing this policy 
   
    openshift.io/ImagePolicy:
      configuration:
        apiVersion: v1
        executionRules:
        - matchImageAnnotations:
          - key: images.openshift.io/deny-execution
            value: 'true'
          name: execution-denied
          onResources:
          - resource: pods
          - resource: builds
          reject: true                       # Change to false 
          skipOnResolutionFailure: true
        kind: ImagePolicyConfig
 

Any pod created from containers that are not in our registry fail with the following event: 

The Pod "" is invalid: spec.containers[0].image: Forbidden: this image is prohibited by policy: only images imported into the registry are allowed (rhel7/rhel-tools)


Version-Release number of selected component (if applicable):
3.7

How reproducible:
100%

Steps to Reproduce:
1. Make change to the default imagepolicy in place, change reject to false. 
         - Reason for this change is due to openscap marking all image with the annotation "images.openshift.io/deny-execution" as a workaround we do not want to reject this. 

2. Restart masters 

3. Deploy new image to test

```
# oc create -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: sleep-test-pod
spec:
  containers:
  - name: sleep-test-container
    image: rhel7/rhel-tools 
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
restartPolicy: Never
 EOF
 



Actual results:
   The Pod "" is invalid: spec.containers[0].image: Forbidden: this image is prohibited by policy: only images imported into the registry are allowed (rhel7/rhel-tools)

Expected results:
  Run this pod as the image policy should not have anything to do with this image. 



Workaround: 

  Either remove the policy all together or keep reject = true

Comment 1 Ben Parees 2018-04-09 18:01:52 UTC
This is working as designed:

https://docs.openshift.org/latest/admin_guide/image_policy.html#image-policy-configuring-the-image-policy-admission-plug-in

"Array of rules to evaluate against incoming resources. If you only have reject==true rules, the default is allow all. If you have any accept rule, the default is deny all."

Comment 2 Ryan Howe 2018-04-09 19:20:08 UTC
Very confusing reopening as a DOCs bug to better highlight this. 


https://docs.openshift.org/latest/admin_guide/image_policy.html#image-policy-configuring-the-image-policy-admission-plug-in

DOCUMENTATION BUG: 

  Highlight that the default behaviour of the ImagePolicy switches to deny-all if ONE rule sets reject to false.

Comment 3 Jack Ottofaro 2018-04-10 14:06:00 UTC
The entire section, "Configuring the ImagePolicy Admission Plug-in", needs to be beefed up with more explanation on the various options and how they may interact. As it stands now, it goes immediately to an example but it needs an in-depth upfront section ahead of the example.

Comment 4 Gaurav Nelson 2018-06-14 02:38:20 UTC
Tracking this in https://github.com/openshift/openshift-docs/pull/10093

@Ryan

Can you please check the PR, I have tried to dig it a bit. This of this as a draft, If you can provide me with more example and use cases I can add those as well.

Comment 7 Ryan Howe 2018-06-25 13:55:46 UTC
LGTM 

The following addition covers what this bug was requesting. 

~~
Array of rules to evaluate against incoming resources. If you only have
`reject: true` rules, the default is *allow all*. If you have any accept rule,
that is `reject: false` in any of the rules, the default behaviour of the
ImagePolicy switches to deny-all.
~~~

Comment 8 Gaurav Nelson 2018-06-26 00:45:56 UTC
Thanks @Ryan

Comment 9 Dongbo Yan 2018-06-26 07:12:01 UTC
Verified
PR look good to me

Comment 10 openshift-github-bot 2018-06-27 04:30:00 UTC
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/ecbc179f9663b27cfebff2dda8aadfe4be9c5225
Merge pull request #10093 from gaurav-nelson/bug1565247-fixes

added explanation and examples for imagepolicy admission plugin


Note You need to log in before you can comment on or make changes to this bug.