Details
Normal Description
Description of problem:
When creating a BuildConfig as the below example, a ConfigMap called <build>-<rev>-sys-config is automatically created and mounted into the Build to provide registry details.
> $ oc get clusterversion
> NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
> version 4.14.0-ec.4 True False 34m Cluster version is 4.14.0-ec.4
> $ oc get bc -o json
> {
> "apiVersion": "v1",
> "items": [
> {
> "apiVersion": "build.openshift.io/v1",
> "kind": "BuildConfig",
> "metadata": {
> [...]
> "creationTimestamp": "2023-09-11T11:01:43Z",
> "generation": 1,
> "labels": {
> "build": "fedora"
> },
> "name": "fedora",
> "namespace": "project-101",
> "resourceVersion": "37816",
> "uid": "e1b03bf4-a0e4-4936-b4e9-65d1e5ea9fa5"
> },
> "spec": {
> "failedBuildsHistoryLimit": 5,
> "nodeSelector": null,
> "output": {
> "to": {
> "kind": "ImageStreamTag",
> "name": "fedora:latest"
> }
> },
> "postCommit": {},
> "resources": {},
> "runPolicy": "Serial",
> "source": {
> "dockerfile": "FROM fedora:latest\n RUN dnf install -y httpd",
> "type": "Dockerfile"
> },
> "strategy": {
> "dockerStrategy": {
> "noCache": true
> },
> "type": "Docker"
> },
> "successfulBuildsHistoryLimit": 5
> },
> "status": {
> "lastVersion": 29
> }
> }
> ],
> "kind": "List",
> "metadata": {
> "resourceVersion": ""
> }
> }
> $ oc describe cm fedora-30-sys-config
> Name: fedora-30-sys-config
> Namespace: project-101
> Labels: <none>
> Annotations: <none>
>
> Data
> ====
> registries.conf:
> ----
> unqualified-search-registries = ["registry.redhat.io", "registry.access.redhat.com", "quay.io", "docker.io"]
> short-name-mode = ""
>
> [[registry]]
> prefix = ""
> location = "quay.io"
>
> [[registry.mirror]]
> location = "quayio-pull-through-cache-us-west-2-ci.apps.ci.l2s4.p1.openshiftapps.com"
> pull-from-mirror = "digest-only"
>
>
> BinaryData
> ====
>
> Events: <none>
> $ oc logs fedora-30-build
> [...]
> Defaulted container "docker-build" out of: docker-build, manage-dockerfile (init)
> time="2023-09-11T11:02:38Z" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled"
> I0911 11:02:38.103213 1 defaults.go:112] Defaulting to storage driver "overlay" with options [mountopt=metacopy=on].
> Caching blobs under "/var/cache/blobs".
>
> Pulling image fedora:latest ...
> Resolving "fedora" using unqualified-search registries (/var/run/configs/openshift.io/build-system/registries.conf)
> Trying to pull registry.redhat.io/fedora:latest...
> Trying to pull registry.access.redhat.com/fedora:latest...
> Trying to pull quay.io/fedora:latest...
> Trying to pull docker.io/library/fedora:latest...
> Getting image source signatures
> Copying blob sha256:deb9cd9f829fea30353f8c711013769a0cacbfa6963532841501df300f8f54e6
> Copying config sha256:6b9fae4fa405599ad15fed7742310e91f34593a5a8d2da4c9ffe67107385e729
> Writing manifest to image destination
> Adding transient rw bind mount for /run/secrets/rhsm
> STEP 1/4: FROM fedora:latest
According to https://issues.redhat.com/browse/RFE-676?focusedCommentId=15498495&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15498495 unqualified-search-registries shall only be supported in the run-time area but not during builds for example. Here fully qualified Container Image names shall be used for security reason.
With the current approach in OpenShift Container Platform 4.14, we still have unqualified-search-registries added and used during builds, conflicting with the above statement. Making it worse, the list of search registries can not be customized and therefore searches may be done towards Image Registry that are actually in the Image configuration blocked (but it will still search in them).
So overall, we have an inconsistency between a statement in a RFE and actual implementation. Further, a security problem is introduced as a list of Image Registries is searched during Builds that can't be configured or disabled.
Version-Release number of selected component (if applicable):
- OpenShift Container Platform 4.14.0-ec.4
How reproducible:
- Always
Steps to Reproduce:
1. Install OpenShift Container Platform 4 as per https://docs.openshift.com/container-platform/latest/installing/installing_aws/installing-aws-default.html#installing-aws-default 2. Configure Image settings to block pulling from `docker.io` following https://docs.openshift.com/container-platform/latest/openshift_images/image-configuration.html#images-configuration-parameters_image-configuration 3. Create a Build with docker BuildStrategy as shown above and run the same
Actual results:
A ConfigMap called <build>-<rev>-sys-config is created and mounted into the Build pod (and also used) with hardcoded registires, such as `docker.io` where it will search for Container Images when short names are being used. Even though docker.io may be blocked it will attempt to search the Container Image (luckily the pull won't work but still a problem will arise)
Expected results:
The ConfigMap called <build>-<rev>-sys-config should either apply the complete settings configured via Image configruation (https://docs.openshift.com/container-platform/latest/openshift_images/image-configuration.html#images-configuration-parameters_image-configuration) and therefore only have allowed registries in unqualified-search-registries or otherwise comply with https://issues.redhat.com/browse/RFE-676?focusedCommentId=15498495&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15498495 and not allow unqualified-search-registries being used (so disable it and provide an empty list).
Additional info:
There is an inconsistency of information provided to customer not making clear how to specify `docker` Images in Builds and why fully qualified Container Image names shall be used as we attempt to search for Images in registries that can't be controlled (which is considered very insecure)