Allow to restrict imports to white listed registries

[mfojtik]

This change will allow to restrict image importing to registries that are white listed in the master-config.yaml. By default (when not specified) the legacy behavior is retained and any registry is allowed for the image import.
However, for a new clusters when the master-config.yaml is created, we picked the known public registries and whitelisted them explicitely.

Q/A:

What impact will this have to existing users?
Unless you recreate the master-config.yaml, everything should work as it worked before.

What impact will this have to new users?
When the master-config.yaml is written to disk, the list of registries we allow to import from will be created. In case you want to import Docker image from third-party registry, that registry needs to be added to the list (a server restart is required after that change).

The verification is done in image import validation, so:

 # oc import-image foo.bar:5000/test/test --confirm
The ImageStreamImport "test" is invalid: spec.images[0].from.name: Invalid value: "foo.bar:5000/test/test": importing images from registry "foo.bar" is forbidden, only images from "docker.io,registry.access.redhat.com,gcr.io,quay.io,*.amazonaws.com" are allowed

In case of creating the ImageStream directly with tags, the importer will report errors if the untrusted
registry is used in the ImageStream status:

# oc describe is/ruby
Name:			ruby
Namespace:		test
Created:		8 seconds ago
Labels:			<none>
Annotations:		openshift.io/display-name=Ruby
Docker Pull Spec:	172.30.53.250:5000/test/ruby
Unique Images:		0
Tags:			5
...
...
foo.bar:5000/openshift/ruby-20-centos7:latest
  pushed image

  ! error: Import failed (Invalid value: "foo.bar:5000/openshift/ruby-20-centos7:latest": importing images from registry "foo.bar" is forbidden, only images from "docker.io,registry.access.redhat.com,gcr.io,quay.io,*.amazonaws.com" are allowed):
      7 seconds ago

In case you already have images imported from third-party registries that are not whitelisted
the images will remain but the scheduled import won't work for them anymore (you will see the error above).

[mfojtik]

[test]

[mfojtik]

@smarterclayton need to double check on the registry hostnames here...

[smarterclayton]

We can't default this on - that breaks existing clusters.

[smarterclayton]

You need to do this when we create a config, not in API defaulting.

[mfojtik]

fixed. also I moved the default whitelist to types.go (instead of burrying it in master_args)

[smarterclayton]

Make this a sub struct with a single field.

[smarterclayton]

Specify domain name.

[mfojtik]

@smarterclayton i this we also need wildcard (*) for registries like ECS. Does it make sense?

[smarterclayton]

Yes, supporting wildcard is fine. Be sure to document the wildcard syntax. A bit concerned that we shouldn't support crazy wildcards (filepath matching is crazy).

[mfojtik]

@smarterclayton i don't want to re-invent wildcard matching, so if you have better suggestion from the standard library I'm all for it :-) The filepath matching seems reasonable to me... I guess most users/admins will just use the '*' and '??' wildcards anyway.

[smarterclayton]

This needs to only impose this behavior when this is set. If empty, old behavior applies.

[smarterclayton]

Ports matter - gcr.io on port 443 is not the same as gcr.io on port 935

[mfojtik]

i assume all registries we whitelist by default run on 443?

[smarterclayton]

so I'd say if port is not specified, it can be 443 or 80 (secure or insecure). If it is specified, it must match. I.e. docker.io matches docker.io:443, but docker.io does not match docker.io:8443

[mfojtik]

@smarterclayton maybe we can add that to the config struct (insecure: true)

[smarterclayton]

If empty, you have to bypass this. Can't break old clusters.

[mfojtik]

right, I will make it optional.

[smarterclayton]

This message needs to be really good - this is going to break people. You're going to have to make sure the CLI and UI do a good job of presenting this error.

Images may not be imported from %q - only images from %s are allowed

[smarterclayton]

Would be good to demonstrate how this would be shown in oc import-image, oc describe is, web console, etc

[mfojtik]

with the current implementation, it will get surfaced in the events inside image stream... when I rework this in validation, I think it you will get the error when you run oc import-image, so the IS won't be created at all.

Web console will get validation error as well, so I think that will be presented to users in nice form.

[smarterclayton]

I don't like filepath because it is OS specific.

[mfojtik]

yeah, I will probably craft something custom and make it part of util/strings.go

[smarterclayton]

Why is this here? Put this in ImageStreamImport validation, pass the allowed registries to the strategy, not the importer.

[mfojtik]

you're right... I thought we want to do this in importer, but this really is a validation... i will pass the list of allowed registries to import validator and verify it there.

[mfojtik]

@smarterclayton all updated, PTAL pls.

[soltysh]

What about different port, how one will specify that?

[soltysh]

If it's part of domain name (I assume from validation code) can you state that in the doc text for DomainName, it isn't obvious.

[mfojtik]

yes, good idea

[soltysh]

Shouldn't this method accept bool Insecure? And return 80 if it's set to true?

[mfojtik]

the godoc is wrong, but yeah

[mfojtik]

actually I already have that fixed :)

[soltysh]

glog for sure

[mfojtik]

done.

[mfojtik]

glog not needed, so I will remove it from here (see Clayton comment)

[soltysh]

Additionally, since we allow wildcard matches here, that should be mentioned in the doc as well.

[mfojtik]

yeah, I mention it in the comment for the registry location to make it more visible, but I can move it down.

[miminar]

Now what about oc tag? 😄 I realized it's not an issue because oc tag modifies the spec of ImageStream and leaves the actually image creation on importer controller.

Nevertheless I'd like to see at least an integration test proving that the oc tag case is handled.

[miminar]

At least log an error an continue.

[miminar]

godoc

[miminar]

The 443 may be wrong. Empty port should be returned if not specified.

[mfojtik]

@miminar empty port mean 80 right? that might be incorrect.

[mfojtik]

we default to https in RegistryURL() anyway, so I think this is fine.

[mfojtik]

(I added a bool option to make @soltysh happy :-)

[miminar]

empty port mean 80 right? that might be incorrect.

Empty port means not specified in this case.

we default to https in RegistryURL() anyway, so I think this is fine.

ah, that's unfortunate...

[miminar]

Can you add one more test case with AllowedRegistries not empty and matching the registry?

[mfojtik]

sure, but that case is covered when allowedRegistry is set to defaultallowedregistry and matched docker.io

[mfojtik]

added extra test case.

[miminar]

s/which in that case it will default to port '80'/to make it default to "80"/

[mfojtik]

fixed. (moved to types anyway)

[miminar]

typo

[soltysh]

I will strongly argue against fixing the error part as part of this PR (the 2nd commit). I'd prefer having a proper solution to error handling inside the entire ImageStream. Currently we only have nice error handling presented per tag, but none when it comes to failing when .spec.dockerImageRepository is specified. I'd rather have a proper followup fixing the error handling once and for all and not an ad-hoc solution for this particular error.

[mfojtik]

@soltysh my fix is addressing the repository import as well.... in that case the repository is used as "tag", which sux and can be improved.
I need to report nice error to users that trying to import from remote, untrusted registry and this will do. I'm not against improving it, but we can get there in iterative step and the change in this PR can be the first step.

[mfojtik]

@smarterclayton this uglyness is needed to properly report the import errors to users who:

1. Create ImageStream that contains multiple tags (typically examples/imagestreams...)
2. The import fails because the registry used in ImageStream is invalid (for tag or for repository)
3. The error is then logged into glog.V(4) and burried in server log
4. User end up with ImageStream that tells you the tags are being imported... forever.

(in addition, if this happen, all other tags in that IS are not imported even though they are valid... but one problem at the time)...

And since the StatusInvalid will not tell us what tag failed specifically you have to guess it from the error message (which sux big time, but I can't figure out better solution).

I would said that this code is just a band-aid for having the import error reported properly (since white-listing registries needs to do this), but we should fix the error reporting in general from the image streams in 1.6.

[soltysh]

Yes, please open a new issue and I will start working on it right after this merges.

[mfojtik]

Spawned #13319

[miminar]

So if the whitelist has a benevolent entry with insecure==true and someone wants import a from the repo securely, he won't be allowed to.

Another case this fails is an import from a registry hosted on :443 with invalid certificate - user is forced to use the insecure flag to no avail because the ports won't match here.

[mfojtik]

@miminar in that case you will have to add both combinations (secure and insecure) to the whitelist

[mfojtik]

[test]

[mfojtik]

[test]

[mfojtik]

[test] one more time

[mfojtik]

@smarterclayton @stevekuznetsov i still can't figure out what is wrong on GCE here... it seems like the image tags failed to import (presumably because something prevented them to). I wonder if we have some special master-config for GCE or we use the one that the Origin generates (iow. do we have whitelist or not).

Also I know that I'm annoying with this but it would really help to have master logs from GCE :-/

[mfojtik]

[test]

[soltysh]

@smarterclayton @soltysh support for local registry added:

This LGTM (since I wasn't explicit last time ;))

[smarterclayton]

You can run a deployment yourself pretty easily, or ssh in while it is running. The master config is generated by the Ansible install. On Apr 5, 2017, at 1:25 PM, Michal Fojtik <[email protected]> wrote: @smarterclayton <https://github.com/smarterclayton> @stevekuznetsov <https://github.com/stevekuznetsov> i still can't figure out what is wrong on GCE here... it seems like the image tags failed to import (presumably because something prevented them to). I wonder if we have some special master-config for GCE or we use the one that the Origin generates (iow. do we have whitelist or not). Also I know that I'm annoying with this but it would *really* help to have master logs from GCE :-/ — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13313 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p-iJd4nw36eU2NRwl40b7Sr5YaDEks5rs3oegaJpZM4MXTJq> .

[mfojtik]

gce docker flake [test]

[mfojtik]

[test]

[mfojtik]

@smarterclayton got it... it was actually my fault (missing nil-check)... it reflected on GCE because the master configuration we generate there for some reason does not include the whitelist (which means all images are allowed)...

[mfojtik]

[test] (should pass this time)

[soltysh]

@smarterclayton got it... it was actually my fault (missing nil-check)... it reflected on GCE because the master configuration we generate there for some reason does not include the whitelist (which means all images are allowed)...

IIRC, the configuration we have there is coming from our ansible script, doesn't that needs to be updated to reflect your changes in that case?

[openshift-bot]

Evaluated for origin test up to c058b4d

[mfojtik]

@soltysh I kind of like that it tests the "legacy" case where it is not set and the origin in that case should not enforce any whitelist and the legacy behavior is preserved... in fact it helped to discover this bug.

[soltysh]

@mfojtik completely agree, but that causes discrepancy between what we get when running installer manually vs what ansible does for us. Although I wonder which part of the ansible would be causing that. I though that --write-config which I assume is being called by ansible when generating configs should work ootb, but apparently it it not :/

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/601/) (Base Commit: b7a5b0f)

[soltysh]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/601/) (Image: devenv-rhel7_6119)

[openshift-bot]

Evaluated for origin merge up to c058b4d

[smarterclayton]

Ansible generates a config from a template, does not use write-config. Only new clusters in Ansible should get these flags, old users need to opt in (otherwise you could break working namespaces).

…

On Thu, Apr 6, 2017 at 4:47 PM, OpenShift Bot ***@***.***> wrote: Merged #13313 <#13313>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13313 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p6RBWorkUk6I01uHGvwwHhfQmsviks5rtPsCgaJpZM4MXTJq> .

[smarterclayton]

We should not have added this - this effectively invalidates everything we did to secure this. This means that anyone can go and set a registry up on amazonaws and defeat this protection.