Description of problem:
Users can modify container policies applied to builds (builder pods), - they can overwrite (define) their own security policies to pull images during builds despite defined by cluster administrators.

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.1.18    True        False         3h26m   Cluster version is 4.1.18

How reproducible:
Always

Steps to Reproduce:
1. Configure whitelist of allower registries, without docker.io:
$ oc get images.config.openshift.io -o yaml
apiVersion: v1
items:
- apiVersion: config.openshift.io/v1
  kind: Image
  metadata:
    annotations:
      release.openshift.io/create-only: "true"
    name: cluster
  spec:
    allowedRegistriesForImport:
     - domainName: registry.redhat.io
      insecure: false
    - domainName: registry.access.redhat.com
      insecure: false
    - domainName: image-registry.openshift-image-registry.svc:5000
      insecure: false
    - domainName: quay.io
      insecure: false
    registrySources:
      allowedRegistries:
      - registry.redhat.io
      - registry.access.redhat.com
      - image-registry.openshift-image-registry.svc:5000
      - quay.io
  status:
    internalRegistryHostname: image-registry.openshift-image-registry.svc:5000


2. Create build, based on source image from docker.io
$ oc new-build --docker-image=docker.io/centos/nodejs-8-centos7 https://github.com/sclorg/nodejs-ex.git

Check for errors in output:
...
--> Creating resources with label build=nodejs-ex ...
    error: ImageStream.image.openshift.io "nodejs-8-centos7" is invalid: spec.tags[latest].from.name: Forbidden: registry "docker.io" not allowed by whitelist: "oregistry.redhat.io:443", "registry.access.redhat.com:443", "image-registry.openshift-image-registry.svc:5000", "quay.io"
    imagestream.image.openshift.io "nodejs-ex" created
    buildconfig.build.openshift.io "nodejs-ex" created
--> Failed

Check if buildconfig was created:
$ oc get buildconfigs
NAME        TYPE     FROM   LATEST
nodejs-ex   Source   Git    0

Check if you cannot start build:
$ oc start-build nodejs-ex
The ImageStreamTag "nodejs-8-centos7:latest" is invalid: from: Error resolving ImageStreamTag nodejs-8-centos7:latest in namespace vadim-test-02: imagestreams.image.openshift.io "nodejs-8-centos7" not found

3. Modify build config - change source from ImageStream to docker image:
$ oc edit bc nodejs-ex
....
  strategy:
    sourceStrategy:
      from:
        kind: DockerImage
        name: docker.io/centos/nodejs-8-centos7
......

4. Build will start and failed:
$ oc get builds
NAME          TYPE     FROM          STATUS                        STARTED              DURATION
nodejs-ex-1   Source   Git@e59fe75   Failed (GenericBuildFailed)   About a minute ago   34s

$ oc describe build nodejs-ex-1 | grep -A 4 'Log' 
Log Tail:	Caching blobs under "/var/cache/blobs".
		Warning: Pull failed, retrying in 5s ...
		Warning: Pull failed, retrying in 5s ...
		Warning: Pull failed, retrying in 5s ...
		error: build error: After retrying 2 times, Pull image sti...ker://centos/nodejs-8-centos7:latest is rejected by policy.

5. ConfigMap with policy.json created:
$ oc get cm
NAME                     DATA   AGE
nodejs-ex-1-ca           1      4m34s
nodejs-ex-1-sys-config   1      4m34s

6. Save created config map to file and change it content:
$ oc get cm nodejs-ex-1-sys-config -o yaml > policy-cm.yaml

Change name to nodejs-ex-2-sys-config, change default policy to "insecureAcceptAnything" and remove ownerReferences section:
$ cat policy-cm.yaml
apiVersion: v1
data:
  policy.json: '{"default":[{"type":"insecureAcceptAnything"}],"transports":{"atomic":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]},"docker":{"image-registry.openshift-image-registry.svc:5000":[{"type":"insecureAcceptAnything"}],"quay.io":[{"type":"insecureAcceptAnything"}],"registry.access.redhat.com":[{"type":"insecureAcceptAnything"}],"registry.redhat.io":[{"type":"insecureAcceptAnything"}]}}}'
kind: ConfigMap
metadata:
  name: nodejs-ex-2-sys-config
  namespace: vadim-test

7. Create ConfigMap based on the file:
$ oc create -f policy-cm.yaml
configmap/nodejs-ex-2-sys-config created
$ oc get cm
NAME                     DATA   AGE
nodejs-ex-1-ca           1      9m35s
nodejs-ex-1-sys-config   1      9m35s
nodejs-ex-2-sys-config   1      62s

8. Ensure there is only build #1, start new-build:
$ oc get builds
NAME          TYPE     FROM          STATUS                        STARTED          DURATION
nodejs-ex-1   Source   Git@e59fe75   Failed (GenericBuildFailed)   10 minutes ago   34s

$ oc start-build nodejs-ex
build.build.openshift.io/nodejs-ex-2 started

9. Build will be finished, because builder pod is using CM which was just created (nodejs-ex-2-sys-config):
$ oc get builds
NAME          TYPE     FROM          STATUS                        STARTED         DURATION
nodejs-ex-1   Source   Git@e59fe75   Failed (GenericBuildFailed)   8 minutes ago   34s
nodejs-ex-2   Source   Git@e59fe75   Complete                      5 minutes ago   2m11s

$ oc describe build nodejs-ex-2 | grep From
From Image:		DockerImage docker.io/centos/nodejs-8-centos7
  Type		Reason		Age	From							Message

$ oc get pod nodejs-ex-2-build -o jsonpath='{.spec.volumes}'
[map[hostPath:map[path:/var/lib/containers/cache type:] name:buildcachedir] map[name:buildworkdir emptyDir:map[]] map[secret:map[secretName:builder-dockercfg-chx8m defaultMode:384] name:builder-dockercfg-chx8m-push] map[name:builder-dockercfg-chx8m-pull secret:map[secretName:builder-dockercfg-chx8m defaultMode:384]] map[configMap:map[name:nodejs-ex-2-sys-config defaultMode:420] name:build-system-configs] map[configMap:map[name:nodejs-ex-2-ca items:[map[key:service-ca.crt path:certs.d/image-registry.openshift-image-registry.svc:5000/ca.crt]] defaultMode:420] name:build-ca-bundles] map[name:container-storage-root emptyDir:map[]] map[emptyDir:map[] name:build-blob-cache] map[name:builder-token-hmp4p secret:map[secretName:builder-token-hmp4p defaultMode:420]]][vadim@vadim oc-bug-build]$

10. Next build will fail because it will use CM created by Openshift:
$ oc start-build nodejs-ex
build.build.openshift.io/nodejs-ex-3 started

$ oc get builds
NAME          TYPE     FROM          STATUS                        STARTED          DURATION
nodejs-ex-1   Source   Git@e59fe75   Failed (GenericBuildFailed)   9 minutes ago    34s
nodejs-ex-2   Source   Git@e59fe75   Complete                      7 minutes ago    2m11s
nodejs-ex-3   Source   Git@e59fe75   Failed (OutOfMemoryKilled)    37 seconds ago   35s

$ oc describe build nodejs-ex-3 | grep -A 4 'Log' 
Log Tail:	Caching blobs under "/var/cache/blobs".
		Warning: Pull failed, retrying in 5s ...
		Warning: Pull failed, retrying in 5s ...
		Warning: Pull failed, retrying in 5s ...
		error: build error: After retrying 2 times, Pull image sti...ker://centos/nodejs-8-centos7:latest is rejected by policy.


Actual results:
Builds completed despite configured image policies.
Users can define their own container policies.

Expected results:
Builds failed, pull from docker.io rejected due to configured image policy


Additional info: