Image policy is resolving images on replica sets by default #15868
Conversation
openshift-merge-robot
added
the
size/L
openshift-merge-robot
added
approved
smarterclayton
force-pushed
the
fix_imagepolicy_master
branch
2 times, most recently
from
db9e95e to
33aef8c
Compare
There was a problem hiding this comment.
the other option would be to check if such object has a controllerRef set - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md
|
We don't pipe through the full object today, but that is an option. I do
think that initializers that mutate the target object will be important in
the future - we may just not have thought through this enough upstream
yet. Direct hash checking has problems - perhaps mutating admission
controllers should have a way to signal that a deliberate mutation occurred
and collision should be avoided.
For now this is probably the simplest fix, and in 3.7 maybe you and I can
start a discussion with @Kargakis and others about this
On Aug 19, 2017, at 5:45 AM, Tomáš Nožička <[email protected]> wrote:
*@tnozicka* commented on this pull request.
the other option would be to check if such object has a controllerRef set -
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#15868 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pxghrge53sZR7UsqKkrCdBLKSq8Aks5sZq7NgaJpZM4O8GSl>
.
|
|
/test extended_conformance_install_update |
|
extended_conformance_install_update is blocked on #15874 |
| {TargetResource: GroupResource{Resource: "replicationcontrollers"}, LocalNames: true}, | ||
| {TargetResource: GroupResource{Group: "extensions", Resource: "replicasets"}, LocalNames: true}, | ||
| // pods are attempted for backwards compatibility. | ||
| {TargetResource: GroupResource{Resource: "pods"}, LocalNames: true, Type: Attempt}, |
There was a problem hiding this comment.
@smarterclayton I have tried it with master and it behaved like AttemptRewrite notAttempt there. But maybe the backwards compatibility is w.r.t. something else?
With that said Attempt seems like more reasonable default option.
There was a problem hiding this comment.
Master rewriting is a bug, and that's caused by local namespace resolution. If you look a few lines up the ResolveImage global (on the config) is defaulting to Attempt, and that's what we're controlling for here. What went into 3.6 was too aggressive.
| }, | ||
| }, | ||
| }, | ||
| // does not rewrite the config because build has Attempt by default, which overrides global policy |
There was a problem hiding this comment.
Not by default, but explicitly set Attempt. (Default is AttemptRewrite.)
There was a problem hiding this comment.
I'm going to change the build, that was wrong.
|
In future if this plugin would mutate only top level objects which can be found by not having ownerRef (which all controllers set) this kind of issues would go away I think. Like it would resolve the image only in Deployment itself and left RS and Pod with controllerRef set alone. Unless there is a use case for mutating controlled objects. |
|
I think there is a use case for mutating controlled objects - I explicitly want to be able to default replication controllers at time of snapshot |
|
/retest |
|
In that case we need to work on supporting that upstream as you said and back it up with an use case / example. |
|
networking/GitHub failed |
|
new day; let's give it another shot |
|
@openshift/api-review needs API review :) |
smarterclayton
force-pushed
the
fix_imagepolicy_master
branch
from
33aef8c to
209468e
Compare
|
Updated to make builds Attempt instead of AttemptRewrite |
|
@liggitt need you to do quick API review. 3.6 is broken, in that rewrite should not happen unless requested. Now, resolution rules override / more specific than the default resolution. |
| {TargetResource: GroupResource{Group: "build.openshift.io", Resource: "builds"}, LocalNames: true}, | ||
| {TargetResource: GroupResource{Resource: "replicationcontrollers"}, LocalNames: true}, | ||
| {TargetResource: GroupResource{Group: "extensions", Resource: "replicasets"}, LocalNames: true}, | ||
| // pods are rewrite attempted for backwards compatibility. |
There was a problem hiding this comment.
I don't mean to bikeshed on this but I don't get the meaning of rewrite attempted when the line bellow says Attempt, not AttemptRewrite?
There was a problem hiding this comment.
This is for resolution (do we look up this image value for possible application of rules).
| }, | ||
| }, | ||
| }, | ||
| // does not rewrite the config because build has DoNotAttempt by default, which overrides global policy |
There was a problem hiding this comment.
actually build has Attempt by default; the rest holds true
smarterclayton
force-pushed
the
fix_imagepolicy_master
branch
from
209468e to
962153e
Compare
|
Updated with feedback from @liggitt Rename Makes |
|
/retest
Prometheus flake fixed (or reduced) in another PR
|
| // executionRuleCoversResource returns true if gr is covered by rule. | ||
| func executionRuleCoversResource(rule ImageExecutionPolicyRule, gr GroupResource) bool { | ||
| for _, target := range rule.OnResources { | ||
| if target.Group == gr.Group && (target.Resource == gr.Resource || target.Resource == "*") { |
There was a problem hiding this comment.
No, no compelling reason. apps could legitimately have a resource wildcard, but everything on the server seemed a stretch.
| obj.ResolutionRules[i].Policy = DoNotAttempt | ||
| for _, rule := range obj.ExecutionRules { | ||
| if executionRuleCoversResource(rule, obj.ResolutionRules[i].TargetResource) { | ||
| obj.ResolutionRules[i].Policy = obj.ResolveImages |
|
@smarterclayton this will require ansible update to set the resolutionRules ? |
|
API looks fine, just nits. make sure there's a release note about the new required field |
|
@mfojtik no we rely on defaulting today Will fix the nits and repost in a short time. |
Even when local names are not requested, the image policy plugin is deciding to rewrite image references in replica sets that point to the integrated registry (with tags) to use digests. This causes the deployment controller that created them to get wedged (because it detects a change to the template) and become unable to update status on that replica set. https://bugzilla.redhat.com/show_bug.cgi?id=1481801
smarterclayton
force-pushed
the
fix_imagepolicy_master
branch
from
962153e to
32f53e3
Compare
|
denitted |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, smarterclayton The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
|
/test extended_conformance_install_update |
|
flake #15977 |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
Even when local names are not requested, the image policy plugin is
deciding to rewrite image references in replica sets that point to the
integrated registry (with tags) to use digests. This causes the
deployment controller that created them to get wedged (because it
detects a change to the template) and become unable to update status on
that replica set.
https://bugzilla.redhat.com/show_bug.cgi?id=1481801