Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-65848

ValidatingAdmissionPolicy not working for openshift-apiserver resources

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 4.20.z
    • 4.18, 4.19, 4.20
    • openshift-apiserver
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Fixed a bug that prevented ValidatingAdmissionPolicy from applying to certain OpenShift API resources, including BuildConfig and DeploymentConfig.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-61056. The following is the description of the original issue:

      Description of problem:

      Customer would like to use ValidatingAdmissionPolicies in OpenShift Container Platform 4.17 to limit the creation of BuildConfigs. As a result, they created the following ValidatingAdmissionPolicy:

      ---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: deny-creation-of-build-configs
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE"]
      apiGroups: ["build.openshift.io"]
      apiVersions: ["v1"]
      resources: ["buildconfigs"]
  validations:
  - expression: "false"
    message: "Creation of BuildConfigs is not allowed."
    reason: Invalid
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: deny-creation-of-build-configs-binding
spec:
  policyName: deny-creation-of-build-configs
  validationActions: [Deny]
---

      This ValidatingAdmissionPolicy however does not work as expected. From what I understood so far, it seems that all resources handled by "openshift-apiserver" do not respect the ValidatingAdmissionPolicies.

      This was also discussed in Slack here: https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1756392900807839

      Ben has already created a PR here: https://github.com/openshift/openshift-apiserver/pull/546

      Version-Release number of selected component (if applicable):

      Reproducible on OpenShift Container Platform 4.18.21

      How reproducible:

      Always

      Steps to Reproduce:

      1. Provision a cluster with OpenShift Container Platform 4.18.21
      2. Create the above ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding
      3. Try to create a new BuildConfig

      The same is also valid for other resources handled by "openshift-apiserver"

      Actual results:

      BuildConfig is created.

      Expected results:

      The ValidatingAdmissionPolicy denies the creation of the BuildConfig

      Additional info:

              Unassigned Unassigned
              rhn-support-skrenger Simon Krenger
              None
              None
              Rahul Gangwar Rahul Gangwar
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: