Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55973

Interaction between RHEL and OCP image policy opinions

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • None
    • None
    • None
    • No
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      4.19 OpenShift (OCP) uses RHEL 9.6, which has image policy opinions requiring registry.redhat.io and registry.access.redhat.com signatures (OCPBUGS-55106). OCP has (Cluster)ImagePolicy allowing customers to define their own policies. And sometimes OCP has its own opinions. This ticket is asking for some kind of plan or policy around how these opinions will interact. Options include:

      1. OCP ignores RHEL opinions, and clobbers them as soon as possible after arriving on a boot image.
      2. OCP respects RHEL opinions, and provides cluster admins and OCP components with a way to append additional restrictions, but no ability to remove RHEL-level opinions.
      3. OCP respects RHEL opinions by default, and allows cluster admins to both add additional policies and also soften or remove RHEL policies.
      4. Probably lots more options I'm not thinking of.

      Good luck!

      Steps to Reproduce, actual results, expected results

      See OCPBUGS-55106 for one instance of the current lack-of-policy causing issues.

              team-mco Team MCO
              trking W. Trevor King
              None
              None
              Michael Nguyen Michael Nguyen
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: