Hide Forgot
+++ This bug was initially created as a clone of Bug #1709945 +++ Description of problem: Per https://github.com/openshift/builder/issues/71, when the the image policy defined in images.config.openshift.io/cluster whitelists the set of registries from which we're allowed to push images, the generated policy.json defaults to disallowing all transports, which prevents the builder from committing or pushing a new image. Version-Release number of selected component (if applicable): 4.1.0-rc.0 How reproducible: Always Steps to Reproduce: 1. Set a cluster spec of: allowedRegistriesForImport: - domainName: registry.redhat.io insecure: false - domainName: quay.io insecure: false - domainName: registry.access.redhat.com insecure: false registrySources: allowedRegistries: - registry.redhat.io - registry.access.redhat.com - image-registry.openshift-image-registry.svc:5000 - quay.io allowedRegistriesForImport: - domainName: registry.redhat.io insecure: false - domainName: quay.io insecure: false - domainName: registry.access.redhat.com insecure: false registrySources: allowedRegistries: - registry.redhat.io - registry.access.redhat.com - image-registry.openshift-image-registry.svc:5000 - quay.io 2. Start a build. Actual results: The generated policy.json looks like: {"default":[{"type":"reject"}],"transports":{"atomic":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]},"docker":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]}}} The build fails with: error: build error: error copying layers and metadata for container "ceed796969e4947a471e4c866606d1fb5067055f7c0d8d9e3b174e3906fa37d7": Source image rejected: Running image containers-storage:ruby-working-container is rejected by policy. Expected results: Regardless of the spec, the builder should not fail to commit an image, or push an image because local storage is not mentioned in the policy.json. --- Additional comment from Adam Kaplan on 2019-05-14 16:18:19 UTC --- PR: https://github.com/openshift/builder/pull/72
release-4.1 PR: https://github.com/openshift/builder/pull/73
Verified on 4.1.0-0.nightly-2019-05-16-001402, build can succeed after making below change to images.config.openshift.io: spec: allowedRegistriesForImport: - domainName: registry.redhat.io insecure: false - domainName: quay.io insecure: false - domainName: registry.access.redhat.com insecure: false registrySources: allowedRegistries: - registry.redhat.io - registry.access.redhat.com - image-registry.openshift-image-registry.svc:5000 - quay.io
*** Bug 1709945 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758