Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.18, 4.19, 4.20
Component/s: openshift-apiserver
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Bug Fix
Release Note Text:

Hide
Before this update, a bug prevented the `ValidatingAdmissionPolicy` resource from applying to certain {product-title} API resources, such as `BuildConfig` and `DeploymentConfig`. This meant that custom admission policies were not enforced on these specific resources, potentially allowing configurations that did not meet organizational standards to be created or updated. With this release, the validation logic has been corrected to ensure that the`ValidatingAdmissionPolicy` resource now correctly identifies and applies to all intended {product-title} resources. As a result, users can consistently enforce policies across their entire cluster, including the `BuildConfig` and `DeploymentConfig` resources. (link:https://issues.redhat.com/browse/OCPBUGS-66920[~~OCPBUGS-66920~~])

Show
Before this update, a bug prevented the `ValidatingAdmissionPolicy` resource from applying to certain {product-title} API resources, such as `BuildConfig` and `DeploymentConfig`. This meant that custom admission policies were not enforced on these specific resources, potentially allowing configurations that did not meet organizational standards to be created or updated. With this release, the validation logic has been corrected to ensure that the`ValidatingAdmissionPolicy` resource now correctly identifies and applies to all intended {product-title} resources. As a result, users can consistently enforce policies across their entire cluster, including the `BuildConfig` and `DeploymentConfig` resources. (link: https://issues.redhat.com/browse/OCPBUGS-66920 [ OCPBUGS-66920 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-65848. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-61056. The following is the description of the original issue:
—
Description of problem:

Customer would like to use ValidatingAdmissionPolicies in OpenShift Container Platform 4.17 to limit the creation of BuildConfigs. As a result, they created the following ValidatingAdmissionPolicy:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: deny-creation-of-build-configs
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - operations: ["CREATE"]
      apiGroups: ["build.openshift.io"]
      apiVersions: ["v1"]
      resources: ["buildconfigs"]
  validations:
  - expression: "false"
    message: "Creation of BuildConfigs is not allowed."
    reason: Invalid
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: deny-creation-of-build-configs-binding
spec:
  policyName: deny-creation-of-build-configs
  validationActions: [Deny]
---

This ValidatingAdmissionPolicy however does not work as expected. From what I understood so far, it seems that all resources handled by "openshift-apiserver" do not respect the ValidatingAdmissionPolicies.

This was also discussed in Slack here: https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1756392900807839

Ben has already created a PR here: https://github.com/openshift/openshift-apiserver/pull/546

Version-Release number of selected component (if applicable):

Reproducible on OpenShift Container Platform 4.18.21

How reproducible:

Always

Steps to Reproduce:

1. Provision a cluster with OpenShift Container Platform 4.18.21
2. Create the above ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding
3. Try to create a new BuildConfig

The same is also valid for other resources handled by "openshift-apiserver"

Actual results:

BuildConfig is created.

Expected results:

The ValidatingAdmissionPolicy denies the creation of the BuildConfig

Additional info:

Slack discussion: https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1756392900807839
PR: https://github.com/openshift/openshift-apiserver/pull/546

links to

KCS 7130268

openshift/openshift-apiserver#588: [release-4.19] OCPBUGS-66920: Add ValidatingAdmissionPolicy and check for omissions next time.

Assignee:: Unassigned

Reporter:: Simon Krenger

Need Info From:: None

Contributors:: None

QA Contact:: Rahul Gangwar

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/12/05 7:43 PM

Updated:: 2026/01/23 10:36 AM

Resolved:: 2026/01/22 7:53 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates