Bug 1679602 - admission plugins still seeing legacy resources
Summary: admission plugins still seeing legacy resources
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Oleg Bulatov
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-21 14:25 UTC by Ben Parees
Modified: 2019-06-04 10:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:44:27 UTC

Description Ben Parees 2019-02-21 14:25:04 UTC
Description of problem:
The image admission plugin is seeing build resources as being in the legacy group when a build object is created.


Version-Release number of selected component (if applicable):
4.0


How reproducible:
Always

Steps to Reproduce:
1.  Add debug to the image admission policy plugin to print out the group resources it sees:  https://github.com/openshift/origin/blob/128155db2ed199d6045aafcf5377fce4b8f57036/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go#L234


2.  Create a build resource using group apis:

apiVersion: build.openshift.io/v1
kind: Build
metadata:
  name: testbuild2
spec:
  nodeSelector: null
  output:
    pushSecret:
      name: builder-dockercfg-qprbs
    to:
      kind: ImageStreamTag
      name: nodejs-ex:latest
  postCommit: {}
  resources: {}
  serviceAccount: builder
  source:
    git:
      uri: https://github.com/openshift/nodejs-ex
    type: Git
  strategy:
    sourceStrategy:
      from:
        kind: DockerImage
        name: invalid:tag
      pullSecret:
        name: builder-dockercfg-qprbs
    type: Source



3.  Look at the group resource observed by the admission plugin, it will be the legacy group, not build.openshift.io.


Actual results:
legacy group resource

Expected results:
groupified group resource

Comment 1 Ben Parees 2019-02-21 14:26:25 UTC
some discussion here also:
https://github.com/openshift/origin/pull/21950#discussion_r258489717

Comment 2 Michal Fojtik 2019-03-12 13:33:36 UTC
Fix: https://github.com/openshift/origin/pull/22297

Comment 9 Ben Parees 2019-03-27 21:35:11 UTC
(Adam, if the admission plugin is ignore the build resource because it's still coming in as a legacy resource, not a group resource type, then you can send this back to the master team).

Comment 10 Oleg Bulatov 2019-04-01 13:27:53 UTC
$ oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy"
I0401 13:25:18.625784       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/
I0401 13:25:18.637421       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/
I0401 13:25:18.764608       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:18.764904       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:30.563070       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
I0401 13:25:30.564658       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4
...

Comment 11 XiuJuan Wang 2019-04-02 08:28:29 UTC
Verified this image with 4.0.0-0.nightly-2019-03-28-030453 build
$  oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy"
I0402 08:26:13.181984       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/
I0402 08:26:13.191893       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/
I0402 08:26:13.369946       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
I0402 08:26:13.372087       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
I0402 08:26:13.380921       1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1

Comment 13 errata-xmlrpc 2019-06-04 10:44:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.