Bug 2032589 - DeploymentConfigs ignore resolve-names annotation
Summary: DeploymentConfigs ignore resolve-names annotation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: Oleg Bulatov
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks: 2040240
TreeView+ depends on / blocked
 
Reported: 2021-12-14 18:58 UTC by Oleg Bulatov
Modified: 2022-10-12 02:53 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the image admission plugin didn't check annotations inside the deployment configs templates. Consequence: the annotation inside the template cannot be handled in replica controllers (as they are managed by the deployment config), and the deployment config didn't see them, so they were ignored. Fix: update the image admission plugin so that it can analyze templates of deployment configs. Result: the image admission plugin recognized annotations on the deployment configs and on their templates.
Clone Of:
Environment:
Last Closed: 2022-03-10 16:33:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-apiserver pull 268 0 None open Bug 2032589: Make OriginImageMutators aware of origin objects 2022-01-11 11:46:28 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:34:19 UTC

Description Oleg Bulatov 2021-12-14 18:58:51 UTC
Description of problem:

This problem has been initially reported as BZ 2000216, but it hasn't been solved completely.

When you have the resolve-names annotation on a deployment config, image references used to be resolved on the replication controllers. Once we fixed BZ 1925180, it doesn't happen anymore.

The resolving process should happen on the deployment config object, so that only the deployment config manages its replication controllers.

Once we fixed BZ 2000216, the image policy admission plugin started to work with deployment configs that have the resolve-names annotation. But it still doesn't work when the annotation is put onto the template.

For deployments the admission plugin recognizes the annotation on the object and on its template. For deployment configs it should do the same.

Version-Release number of selected component (if applicable):

4.x

How reproducible:

Always.

Steps to Reproduce:

oc apply -f - <<END
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: myis
spec:
  lookupPolicy:
    local: false
  tags:
  - name: latest
    from:
      kind: DockerImage
      name: docker.io/library/nginx:latest
END

sleep 1  # Give the image stream controller some time to import the image and the admission plugin to become aware of the image 

oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

# Check the DC's image
oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

Actual results:

The DC's image is `myis`

Expected results:

The DC's image should be `docker.io/library/nginx@sha256:...`

Additional info:

Comment 3 XiuJuan Wang 2022-01-13 08:17:27 UTC
Verified with 4.10.0-0.ci.test-2022-01-13-061134-ci-ln-y6dn8b2-latest
Scenario 1:
Create an imagestream
oc tag docker.io/library/nginx:latest myis:latest
sleep 1

oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

docker.io/library/nginx@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3

Senario 2:
Create an imagestream with pullthrough policy
oc tag docker.io/library/nginx:latest myis:latest --reference-policy='local'


oc apply -f - <<END
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: mydc
spec:
  replicas: 1
  selector:
    app: mydc
  template:
    metadata:
      annotations:
        alpha.image.policy.openshift.io/resolve-names: '*'
      labels:
        app: mydc
    spec:
      containers:
      - image: myis
        name: mycontainer
END

oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}'

image-registry.openshift-image-registry.svc:5000/wxj12/myis@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3

Comment 11 errata-xmlrpc 2022-03-10 16:33:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.