Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.15
Component/s: ImageStreams
Labels:
- api-triage-inprogress
- groomed

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:

4.16.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This PR disabled any replacement for the imagestreams having LookupPolicy.local=true when workloads are deployed and the ownerReferences.Controller=true.

This is generally a good approach when Kubernetes-native controllers control workloads. However, it also disables this behavior for a wide range of workloads. For example, controllers run by operators that create workloads as pods (Tekton, Argo Workflows, and derived) cannot rely anymore on the image-lookup feature.

In that case, we cannot control the parent controller and should continue replacing the image based on the LookupPolicy. We could delegate the external controllers to decide the logic around reconciling the (mutable) image field of podTemplate specs as partially discussed in https://github.com/openshift/openshift-apiserver/issues/339 .

Version-Release number of selected component (if applicable):

4.15 (.... 4.9ish)

How reproducible:

Always

Steps to Reproduce:

1. Create an image stream with LookupPolicy.local=True:

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: hello-openshift
spec:
  lookupPolicy:
    local: true
  tags:
    - name: 1.2.0
      from:
        kind: DockerImage
        name: quay.io/openshifttest/hello-openshift:1.2.0
      importPolicy:
        importMode: PreserveOriginal
      referencePolicy:
        type: Local


 2. Create a pod with ownerReferences.controller=true and a container's image field set to the image stream tag name without the internal registry URL

apiVersion: v1
kind: Pod
metadata:
  name: example
  labels:
    app: httpd
  namespace: okd-fcos
  ownerReferences:
    - apiVersion: build.openshift.io/v1
      kind: Build
      name: xxx
      uid: 59efca52-10a8-4425-a4bc-3c5915ca189b
      controller: true
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: hello
      image: hello-openshift:1.2.0
      ports:
        - containerPort: 8080
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL

Actual results:

ImagePullBackOff

Expected results:

The image field of the container get replaced with the URL of the image including the internal-registry FQDN.

Additional info:

1. We should document this at least in https://docs.openshift.com/container-platform/4.13/openshift_images/using-imagestreams-with-kube-resources.html
2. A possible solution is to allow that replacement when the workload is a pod, and its controller is not one of the Kubernetes native ones (replicaset, statefuleset etc...).

- Previous bug: https://bugzilla.redhat.com/show_bug.cgi?id=1925180
- Related issue: https://github.com/openshift/openshift-apiserver/issues/339

Assignee:: Filip Krepinsky

Reporter:: Alessandro Di Stefano

Need Info From:: None

Contributors:: None

QA Contact:: XiuJuan Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/10/17 1:07 PM

Updated:: 2025/07/25 5:38 AM

Resolved:: 2024/06/12 1:06 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide