-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.17
-
None
-
None
-
False
-
-
Stop using upstream kube-proxy version that causes issues with disconnected installs
Description of problem:
NFD package manifest contains upstream image from gcr.io with a tag instead of digest which causes three problems in disconnected scenario: 1) The artifact is pulled from non-RH registry which might infringe security policy 2) Using oc-mirror v1 with ImageContentSourcePolicy breaks the pull due to a tag instead of digest 3) If ImageTagMirrorSet is set instead of ICSP, the image is signed with a digest, but the pod/nfd-controller-manager tries to pull by the original tag v0.8.0 and fails
Version-Release number of selected component (if applicable):
4.16.0-202407031636
How reproducible:
Always
Steps to Reproduce:
1.oc describe packagemanifests.packages.operators.coreos.com nfd | awk '/Related Images/,/Entries/' Related Images: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 registry.redhat.io/openshift4/ose-cluster-nfd-rhel9-operator@sha256:376e2944ba279a1cf6e293c06e0aed4e8e7e2023fef08ac60c857ac73cbd8fcf registry.redhat.io/openshift4/ose-node-feature-discovery-rhel9@sha256:be6d1ac8af4b7b2211450b65f5923d92b2a4d9a34530da8d81627e7823f89507 Version: 4.16.0-202407031636 2. Allow only registry.redhat.io on Proxy and install the operator 3. Use oc-mirror with ImageContentSourcePolicy configured and try mirroring the artifacts 4. Use ImageTagMirrorSet while mirroring and try running NFD controller manager
Actual results:
Ad 2. Mirroring fails, because gcr.io is not allowed Ad 3. Mirroring fails, because the image is served by tag instead of digest Ad 4. Pull by controller manager fails, because the image is retagged with a digest while nfd-controller-manager tries pulling it by tag ;)
Expected results:
Mirroring works properly from registry.redhat.io, operator and all the pods work properly
Additional info:
kube-rbac-proxy images are provided by Red Hat https://catalog.redhat.com/software/containers/openshift4/ose-kube-rbac-proxy/5cdb2634dd19c778293b4d98
- clones
-
OCPBUGS-38239 [NFD] Using upstream kube-rbac-proxy image from gcr.io
-
- Closed
-
- depends on
-
OCPBUGS-39103 [NFD] Using upstream kube-rbac-proxy image from gcr.io
-
- Verified
-
- is depended on by
-
OCPBUGS-38239 [NFD] Using upstream kube-rbac-proxy image from gcr.io
-
- Closed
-
- links to
-
RHEA-2024:3717 OpenShift Container Platform 4.17.z extras update