Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48253

error decoding policy json with ImagePolicy in different namespaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.18
    • Node / CRI-O
    • None
    • OCP Node Sprint 265 (Blue)
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: json decoding issue when generating policy configurations for different namespaces
      Consequence: only the imagepolicy for the first namespace rolled out to the /etc/crio/policies directory
      Fix: Fixed the failure when decoding json
      Result: roll out different policy files under /etc/crio/policies for each namespace
      Show
      Cause: json decoding issue when generating policy configurations for different namespaces Consequence: only the imagepolicy for the first namespace rolled out to the /etc/crio/policies directory Fix: Fixed the failure when decoding json Result: roll out different policy files under /etc/crio/policies for each namespace
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-48195. The following is the description of the original issue:

      Description of problem:

          MCO failed to roll out imagepolicy configuration with imagepoliy objects for different namespaces

      Version-Release number of selected component (if applicable):

      How reproducible:

      Create ImagePolicy for testnamespace and mynamespace

      apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
metadata:
  name: p1
  namespace: testnamespace
spec:
  scopes:
  - example.com/global/image
  - example.com
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFVW9GVW9ZQVJlS1hHeTU5eGU1U1FPazJhSjhvKwoyL1l6NVk4R2NOM3pGRTZWaUl2a0duSGhNbEFoWGFYL2JvME05UjYyczAvNnErK1Q3dXdORnVPZzhBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
    signedIdentity:
      matchPolicy: ExactRepository
      exactRepository:
        repository: example.com/foo/bar

apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
metadata:
  name: p2
  namespace: mynamespace
spec:
  scopes:
  - registry.namespacepolicy.com
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: Zm9vIGJhcg==
    signedIdentity:
      matchPolicy: ExactRepository
      exactRepository:
        repository: example.com/foo/bar

      Steps to Reproduce:

          1.create namespace test-namespace, the first imagepolicy
    2.create the second namespace and imagepolicy

      Actual results:

          only the first imagepolicy got rolled out
machineconfig controller log error:  
$ oc logs -f machine-config-controller-c997df58b-9dk8t  
I0108 23:05:09.141699       1 container_runtime_config_controller.go:499] Error syncing image config openshift-config: could not Create/Update MachineConfig: could not update namespace policy JSON from imagepolicy: error decoding policy json for namespaced policies: EOF

      Expected results:

          both /etc/crio/policies/mynamespace.json and /etc/crio/policies/testnamespace.json created

      Additional info:

              qiwan233 Qi Wang
              openshift-crt-jira-prow OpenShift Prow Bot
              Cameron Meadors Cameron Meadors
              Qi Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: