Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61056

ValidatingAdmissionPolicy not working for openshift-apiserver resources

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 4.21.0
    • 4.18, 4.19, 4.20
    • openshift-apiserver
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • Done
    • Bug Fix
    • Hide
      Before this update, a bug prevented the `ValidatingAdmissionPolicy` resource from applying to certain {product-title} API resources, such as `BuildConfig` and `DeploymentConfig`. As a consequence, custom admission policies were not enforced on these specific resources, which potentially allowed configurations that did not meet organizational standards to be created or updated. With this release, the validation logic has been corrected to ensure that the`ValidatingAdmissionPolicy` resource now correctly identifies and applies to all intended {product-title} resources. As a result, users can consistently enforce policies across their entire cluster, including the `BuildConfig` and `DeploymentConfig` resources. (link:https://issues.redhat.com/browse/OCPBUGS-61056[OCPBUGS-61056])
      Show
      Before this update, a bug prevented the `ValidatingAdmissionPolicy` resource from applying to certain {product-title} API resources, such as `BuildConfig` and `DeploymentConfig`. As a consequence, custom admission policies were not enforced on these specific resources, which potentially allowed configurations that did not meet organizational standards to be created or updated. With this release, the validation logic has been corrected to ensure that the`ValidatingAdmissionPolicy` resource now correctly identifies and applies to all intended {product-title} resources. As a result, users can consistently enforce policies across their entire cluster, including the `BuildConfig` and `DeploymentConfig` resources. (link: https://issues.redhat.com/browse/OCPBUGS-61056 [ OCPBUGS-61056 ])
    • None
    • None
    • None
    • None

      Description of problem:

      Customer would like to use ValidatingAdmissionPolicies in OpenShift Container Platform 4.17 to limit the creation of BuildConfigs. As a result, they created the following ValidatingAdmissionPolicy:

      ---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: deny-creation-of-build-configs
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE"]
      apiGroups: ["build.openshift.io"]
      apiVersions: ["v1"]
      resources: ["buildconfigs"]
  validations:
  - expression: "false"
    message: "Creation of BuildConfigs is not allowed."
    reason: Invalid
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: deny-creation-of-build-configs-binding
spec:
  policyName: deny-creation-of-build-configs
  validationActions: [Deny]
---

      This ValidatingAdmissionPolicy however does not work as expected. From what I understood so far, it seems that all resources handled by "openshift-apiserver" do not respect the ValidatingAdmissionPolicies.

      This was also discussed in Slack here: https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1756392900807839

      Ben has already created a PR here: https://github.com/openshift/openshift-apiserver/pull/546

      Version-Release number of selected component (if applicable):

      Reproducible on OpenShift Container Platform 4.18.21

      How reproducible:

      Always

      Steps to Reproduce:

      1. Provision a cluster with OpenShift Container Platform 4.18.21
      2. Create the above ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding
      3. Try to create a new BuildConfig

      The same is also valid for other resources handled by "openshift-apiserver"

      Actual results:

      BuildConfig is created.

      Expected results:

      The ValidatingAdmissionPolicy denies the creation of the BuildConfig

      Additional info:

              Unassigned Unassigned
              rhn-support-skrenger Simon Krenger
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: