Hide Forgot
Description of problem: The image admission plugin is seeing build resources as being in the legacy group when a build object is created. Version-Release number of selected component (if applicable): 4.0 How reproducible: Always Steps to Reproduce: 1. Add debug to the image admission policy plugin to print out the group resources it sees: https://github.com/openshift/origin/blob/128155db2ed199d6045aafcf5377fce4b8f57036/pkg/image/apiserver/admission/imagepolicy/imagepolicy.go#L234 2. Create a build resource using group apis: apiVersion: build.openshift.io/v1 kind: Build metadata: name: testbuild2 spec: nodeSelector: null output: pushSecret: name: builder-dockercfg-qprbs to: kind: ImageStreamTag name: nodejs-ex:latest postCommit: {} resources: {} serviceAccount: builder source: git: uri: https://github.com/openshift/nodejs-ex type: Git strategy: sourceStrategy: from: kind: DockerImage name: invalid:tag pullSecret: name: builder-dockercfg-qprbs type: Source 3. Look at the group resource observed by the admission plugin, it will be the legacy group, not build.openshift.io. Actual results: legacy group resource Expected results: groupified group resource
some discussion here also: https://github.com/openshift/origin/pull/21950#discussion_r258489717
Fix: https://github.com/openshift/origin/pull/22297
(Adam, if the admission plugin is ignore the build resource because it's still coming in as a legacy resource, not a group resource type, then you can send this back to the master team).
$ oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy" I0401 13:25:18.625784 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/ I0401 13:25:18.637421 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/ I0401 13:25:18.764608 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4 I0401 13:25:18.764904 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4 I0401 13:25:30.563070 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4 I0401 13:25:30.564658 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:default/s2i-build-4 ...
Verified this image with 4.0.0-0.nightly-2019-03-28-030453 build $ oc -n openshift-apiserver get pods -o name | while read -r pod; do oc -n openshift-apiserver logs "$pod"; done | grep "running image policy" I0402 08:26:13.181984 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ I0402 08:26:13.191893 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ I0402 08:26:13.369946 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1 I0402 08:26:13.372087 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1 I0402 08:26:13.380921 1 imagepolicy.go:191] running image policy admission for build.openshift.io/v1, Kind=Build:xiu/ruby-hello-world-1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758