Description of problem: This problem has been initially reported as BZ 2000216, but it hasn't been solved completely. When you have the resolve-names annotation on a deployment config, image references used to be resolved on the replication controllers. Once we fixed BZ 1925180, it doesn't happen anymore. The resolving process should happen on the deployment config object, so that only the deployment config manages its replication controllers. Once we fixed BZ 2000216, the image policy admission plugin started to work with deployment configs that have the resolve-names annotation. But it still doesn't work when the annotation is put onto the template. For deployments the admission plugin recognizes the annotation on the object and on its template. For deployment configs it should do the same. Version-Release number of selected component (if applicable): 4.x How reproducible: Always. Steps to Reproduce: oc apply -f - <<END apiVersion: image.openshift.io/v1 kind: ImageStream metadata: name: myis spec: lookupPolicy: local: false tags: - name: latest from: kind: DockerImage name: docker.io/library/nginx:latest END sleep 1 # Give the image stream controller some time to import the image and the admission plugin to become aware of the image oc apply -f - <<END apiVersion: v1 kind: DeploymentConfig metadata: name: mydc spec: replicas: 1 selector: app: mydc template: metadata: annotations: alpha.image.policy.openshift.io/resolve-names: '*' labels: app: mydc spec: containers: - image: myis name: mycontainer END # Check the DC's image oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}' Actual results: The DC's image is `myis` Expected results: The DC's image should be `docker.io/library/nginx@sha256:...` Additional info:
Verified with 4.10.0-0.ci.test-2022-01-13-061134-ci-ln-y6dn8b2-latest Scenario 1: Create an imagestream oc tag docker.io/library/nginx:latest myis:latest sleep 1 oc apply -f - <<END apiVersion: v1 kind: DeploymentConfig metadata: name: mydc spec: replicas: 1 selector: app: mydc template: metadata: annotations: alpha.image.policy.openshift.io/resolve-names: '*' labels: app: mydc spec: containers: - image: myis name: mycontainer END oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}' docker.io/library/nginx@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 Senario 2: Create an imagestream with pullthrough policy oc tag docker.io/library/nginx:latest myis:latest --reference-policy='local' oc apply -f - <<END apiVersion: v1 kind: DeploymentConfig metadata: name: mydc spec: replicas: 1 selector: app: mydc template: metadata: annotations: alpha.image.policy.openshift.io/resolve-names: '*' labels: app: mydc spec: containers: - image: myis name: mycontainer END oc get dc mydc -o jsonpath='{.spec.template.spec.containers[*].image}{"\n"}' image-registry.openshift-image-registry.svc:5000/wxj12/myis@sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056