Uploaded image for project: 'OpenShift Node'
  1. OpenShift Node
  2. OCPNODE-3503

pre-merge testing: Move ClusterImagePolicy, ImagePolicy to v1 - DevPreviewNoUpgrade

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • None
    • None
    • OCP Node Sprint 274 (green)

      Environment: launch 4.20,openshift/api#2384,openshift/cluster-update-keys#74,openshift/machine-config-operator#5143,openshift/origin#29973 gcp, no-spot

       

      FeatureGate BEFORE DevPreviewNoUpgrade

      oc get featuregate cluster -o yaml
      apiVersion: config.openshift.io/v1
      kind: FeatureGate
      metadata:
      …
      spec: {}
      status:
        featureGates:
        - disabled:
          - name: AWSClusterHostedDNS
          .....
          - name: SignatureStores
          - name: SigstoreImageVerification
          - name: SigstoreImageVerificationPKI
          - name: StoragePerformantSecurityPolicy
          enabled:
          - name: AdditionalRoutingCapabilities
          ….. 

       

      FeatureGate AFTER DevPreviewNoUpgrade

      oc get featuregate cluster -o yaml
      apiVersion: config.openshift.io/v1
      kind: FeatureGate
      metadata:
        annotations:
      ....
      spec:
        featureSet: DevPreviewNoUpgrade
      status:
        featureGates:
        - disabled:
          - name: ClusterAPIInstall
          ......
          - name: SigstoreImageVerification
          enabled:
          - name: AWSClusterHostedDNS
          .....
          - name: SignatureStores
          - name: SigstoreImageVerificationPKI
          - name: StoragePerformantSecurityPolicy
          - name: TranslateStreamCloseWebsocketRequests 

       FeatureGate SigstoreImageVerification continued disabled.

       

      Tests and Checks:

      1. Checking versions:

      ❯ oc get crd clusterimagepolicies.config.openshift.io -o json | jq -r '.spec.versions[].name'
      v1
      ❯ oc get crd clusterimagepolicies.config.openshift.io -o json | jq -r '.status.storedVersions[]'
      v1
      ❯ oc get crd imagepolicies.config.openshift.io -o json | jq -r '.spec.versions[].name'
      v1
      ❯ oc get crd imagepolicies.config.openshift.io -o json | jq -r '.status.storedVersions[]'
      v1 

      2. ClusterImage CRD was created ("openshift" CR was not)

      3. ImagePolicy CRD was created

      4. Create a ClusterImagePolicy CR was possible:

      oc get clusterimagepolicy myclusterpolicy -o yaml
      apiVersion: config.openshift.io/v1
      kind: ClusterImagePolicy
      metadata:
        annotations:
         ….
        generation: 1
        name: myclusterpolicy
      spec:
        policy:
          rootOfTrust:
            policyType: PublicKey
            publicKey:
              keyData: LS0tLS1CRUdJGN1L1VvT…….IEtFWS0tLS0t
          signedIdentity:
            matchPolicy: MatchRepository
        scopes:
        - quay.io/rh-ee-anahas/testsignedimage 

      4a. However, Policy.json was Not updated

      cat policy.json
      {
          "default": [
              {
                  "type": "insecureAcceptAnything"
              }
          ],
          "transports":
              {
                  "docker-daemon":
                      {
                          "": [{"type":"insecureAcceptAnything"}]
                      }
              } 

      4b. sigstore-registries.yaml was Not created.

      5. Create a new pod, to pull from the Scope repository:

      oc debug node/oc apply -f - << EOF                                                                                         
      apiVersion: v1
      kind: Pod
      metadata:
        name: pod-test2
        labels:
          app: pod-test
      spec:
        securityContext:
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        containers:
        - name: hello-pod
          image: quay.io/rh-ee-anahas/testsignedimage:latest
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
          ports:
          - containerPort: 80
      EOF 
      • "IsRunningImageAllowed for image docker:quay.io/rh-ee-anahas/testsignedimage:latest" file="signature/policy_eval.go:274"
      • "Using default policy section" file="signature/policy_eval.go:162"
      • Pulled image: quay.io/rh-ee-anahas/testsignedimage@sha256:b72960b93a140be0c394b023259124d45

      6. Create a new ImagePolicy CR:

      oc apply -f - << EOF
      apiVersion: config.openshift.io/v1
      kind: ImagePolicy
      metadata:
        name: myimagepolicy1
        namespace: test2
      spec:
        scopes:
          - quay.io/rh-ee-anahas/imagedigest@sha256:531eaae43197a403f9ae14b900480ba8d7a4b4893153072beee79e8572fa1af0
        policy:
          rootOfTrust:
            policyType: PublicKey
            publicKey:
              keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZ...0t
          signedIdentity:
            matchPolicy: MatchRepoDigestOrExact
      EOFimagepolicy.config.openshift.io/myimagepolicy1 created 

      7. sigstore-registries.yaml and namespacePolicy.json were Not created.

      sh-5.1# cd /etc/containers/registries.d/
      sh-5.1# ls
      default.yaml  registry.access.redhat.com.yaml  registry.redhat.io.yaml
      sh-5.1# cd /etc/crio/policies/
      sh-5.1# ls
      sh-5.1# 

      8. Create a new pod to pull Scope image (from ImagePolicy CR created on step 6)

       

      ❯ oc project
      Using project "test2" on server "https://api.ci-ln-f4lhi22-72292.gcp-2.ci.openshift.org:6443".
      ❯ oc get imagepolicy
      NAME             AGE
      myimagepolicy1   6m54s
      ❯ oc apply -f - << EOF
      apiVersion: v1
      kind: Pod
      metadata:
        name: pod1
        labels:
          app: pod-test
      spec:
        securityContext:
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        containers:
        - name: hello-pod
          image: quay.io/rh-ee-anahas/imagedigest@sha256:531eaae43197a403f9ae14b900480ba8d7a4b4893153072beee79e8572fa1af0
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
          ports:
          - containerPort: 80
      EOF
      pod/pod1 created 

      9. Checking logs

      • "IsRunningImageAllowed for image docker:quay.io/rh-ee-anahas/imagedigest@sha256:531eaae4319...f0" file="signature/policy_eval>
      • " Using default policy section" file="signature/policy_eval.go:162"
      • "Pulled image: quay.io/rh-ee-anahas/imagedigest@sha256:531eaae...a1af0" file="server/image_pull.go:122"

       

      Once policy files were not created, policy was never checked so, "default policy" was the one used. Pods were created successfully.

        1. image-2025-07-17-11-42-51-931.png
          55 kB
          Alice Nahas
        2. image-2025-07-16-17-51-48-447.png
          27 kB
          Alice Nahas
        3. image-2025-07-16-17-35-12-455.png
          61 kB
          Alice Nahas
        4. image-2025-07-16-17-33-14-796.png
          23 kB
          Alice Nahas
        5. image-2025-07-16-17-22-59-560.png
          62 kB
          Alice Nahas
        6. image-2025-07-16-17-15-39-451.png
          50 kB
          Alice Nahas
        7. image-2025-07-15-11-54-36-780.png
          41 kB
          Alice Nahas
        8. image-2025-07-15-11-54-17-902.png
          66 kB
          Alice Nahas
        9. image-2025-07-15-11-14-34-018.png
          21 kB
          Alice Nahas
        10. image-2025-07-15-11-14-00-007.png
          21 kB
          Alice Nahas
        11. image-2025-07-15-10-48-33-075.png
          65 kB
          Alice Nahas

              rh-ee-anahas Alice Nahas
              cucushift-bot Cucushift Bot
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: