Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-21806

The image-lookup on imagestreams for pods is skipped when ownerReferences.controller is not empty and the parent controller is not a Kubernetes native native one

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      This PR disabled any replacement for the imagestreams having LookupPolicy.local=true when workloads are deployed and the ownerReferences.Controller=true.

      This is generally a good approach when Kubernetes-native controllers control workloads. However, it also disables this behavior for a wide range of workloads.  For example, controllers run by operators that create workloads as pods (Tekton, Argo Workflows, and derived) cannot rely anymore on the image-lookup feature.

      In that case, we cannot control the parent controller and should continue replacing the image based on the LookupPolicy. We could delegate the external controllers to decide the logic around reconciling the (mutable) image field of podTemplate specs as partially discussed in https://github.com/openshift/openshift-apiserver/issues/339 .

      Version-Release number of selected component (if applicable):

      4.15 (.... 4.9ish)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create an image stream with LookupPolicy.local=True:

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  name: hello-openshift
spec:
  lookupPolicy:
    local: true
  tags:
    - name: 1.2.0
      from:
        kind: DockerImage
        name: quay.io/openshifttest/hello-openshift:1.2.0
      importPolicy:
        importMode: PreserveOriginal
      referencePolicy:
        type: Local


 2. Create a pod with ownerReferences.controller=true and a container's image field set to the image stream tag name without the internal registry URL

apiVersion: v1
kind: Pod
metadata:
  name: example
  labels:
    app: httpd
  namespace: okd-fcos
  ownerReferences:
    - apiVersion: build.openshift.io/v1
      kind: Build
      name: xxx
      uid: 59efca52-10a8-4425-a4bc-3c5915ca189b
      controller: true
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: hello
      image: hello-openshift:1.2.0
      ports:
        - containerPort: 8080
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL

      Actual results:

      ImagePullBackOff

      Expected results:

      The image field of the container get replaced with the URL of the image including the internal-registry FQDN.

      Additional info:

      1. We should document this at least in https://docs.openshift.com/container-platform/4.13/openshift_images/using-imagestreams-with-kube-resources.html
2. A possible solution is to allow that replacement when the workload is a pod, and its controller is not one of the Kubernetes native ones (replicaset, statefuleset etc...).

- Previous bug: https://bugzilla.redhat.com/show_bug.cgi?id=1925180
- Related issue: https://github.com/openshift/openshift-apiserver/issues/339

              fkrepins@redhat.com Filip Krepinsky
              rhn-support-adistefa Alessandro Di Stefano
              XiuJuan Wang XiuJuan Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: