Admission plugin: openshift.io/ImageQualify #18020
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
openshift-ci-robot
requested review from
deads2k,
enj,
miminar and
smarterclayton
frobware
force-pushed
the
qualify-images
branch
from
ef6f01f to
20d914f
Compare
|
Why isn’t this part of image policy? |
If you don't have that plugin enabled you would not be able to qualify images, hence a separate plugin. /cc @liggitt |
admission-plugin.yaml
Outdated
| @@ -0,0 +1,7 @@ | |||
| admissionConfig: | |||
There was a problem hiding this comment.
remove this file, move to doc or PR description?
There was a problem hiding this comment.
remove this file, move to doc or PR description?
Yep, to be removed. Was here for my dev convenience.
I have a few unit tests to complete then I'll split the PR up into more discrete commits which should make it easier to review.
admission-plugin.yaml
Outdated
| configuration: | ||
| kind: ImagePolicyConfig | ||
| apiVersion: v1 | ||
| qualifyRulesFilename: /home/centos/rules |
There was a problem hiding this comment.
since this admission plugin is distinct, we can just inline the rules in the plugin config type struct. if we want this externalized, we'd reference the whole plugin config externally:
master-config.yaml
...
admissionConfig:
pluginConfig:
openshift.io/ImageQualification:
location: /path/to/plugin.yaml
...plugin.yaml:
kind: ImageQualificationConfig
apiVersion: v1
rules:
- ...
- ...
- ...
|
We always run with image policy enabled. Also, qualification has to happen after image reference policy, but before admission policy runs. So I don't think this can be a separate plugin. Having them separate would be broken in this case:
You can't run before, because you would break local name references. |
Shouldn't have to... that's what the mutation/validation split was for... both should get their shot at mutating, then both should get their shot at validating. |
Should qualification also happen in ATM, it does, but it was an open question (in my mind). |
Will that always be true? If that does change at some point in the future you may then be surprised that qualification no longer happens. Should they be coupled like this? |
image policy was not split into mutation / validation that I'm aware of. You can't mutate before, you have to qualify within the image policy flow, not after. |
frobware
force-pushed
the
qualify-images
branch
from
ac79c45 to
486eda7
Compare
frobware
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Note, I'm talking about OpenShift image policy, not upstream image policy. We don't use upstream image policy and have no plan to. |
frobware
force-pushed
the
qualify-images
branch
from
486eda7 to
bd85dd5
Compare
|
/test verify |
frobware
force-pushed
the
qualify-images
branch
2 times, most recently
from
d32d2af to
dfa48de
Compare
| return "", err | ||
| } | ||
| if domain != "" { | ||
| // image is already qualfied |
There was a problem hiding this comment.
typo
Thanks. I'm about to collapse all the commits into something sensible again. I ended up collapsing two packages and it should be more self contained now.
pkg/image/qualify/image.go
Outdated
| // "docker.io/busybox" -> domain is "docker.io" | ||
| // "docker.io/library/busybox" -> domain is "docker.io" | ||
| // "library/busybox:v1" -> domain is "" | ||
| func SplitImageName(image string) (string, string, error) { |
There was a problem hiding this comment.
We already have such parsers. There's also docker's reference package which as de facto referential implementation.
pkg/image/qualify/image_test.go
Outdated
| input: "parser.test.io/foo/busybox:v1.2.3", | ||
| domain: "parser.test.io", | ||
| remainder: "foo/busybox:v1.2.3", | ||
| }} { |
pkg/image/qualify/qualify.go
Outdated
| // Qualify qualifies image with a domain based on the set of patterns | ||
| // in rules. If there is a match then return true to indicate a match | ||
| // was found in rules together with the discrete domain name and a | ||
| // fully qualified image reference, otherwise returns false. |
frobware
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
frobware
force-pushed
the
qualify-images
branch
from
25a7a89 to
601ade5
Compare
only in places where that image name is fed directly to the docker daemon (thus qualification would continue to be handled by the docker daemon, which I assume is what we want) |
frobware
force-pushed
the
qualify-images
branch
from
e54c7c9 to
a75eedb
Compare
| // rules. Returns the Rule that matched, or nil if no match was found. | ||
| func matchImage(image string, rules []api.ImageQualifyRule) *api.ImageQualifyRule { | ||
| for i := range rules { | ||
| if ok, _ := path.Match(rules[i].Pattern, image); ok { |
There was a problem hiding this comment.
not sure we want to support all the possible patterns path.Match allows... can we limit the charset of the pattern to characters that are allowed in image specs (something like a-zA-Z0-9_-/:@, I think), and *?
There was a problem hiding this comment.
Do we want to support wildcards in the digest part?
I've looked at this in a number of ways:
- take your suggested character set, and add "*", anything outside of that is bogus, though therre is the perennial risk that image specifications chnage underneath our feet
- look at explicitly referencing these regexps, but a) they're internal and b) was curious as to why it's a copy
If we don't want to support wildcards in digests then (I think) an alternative pattern validation scheme may be:
tmp := strings.Replace(rule.Pattern, "*", "a", -1))
if _, _, _, err := parsers.ParseImageName(tmp); err != nil {
// pattern is invalid.
}
I had chosen to be liberal with patterns as we always validate the image reference when it gets qualified. It would, I agree, be nice to be aware up-front that the pattern is invalid. Either way, you would have to correct and restart whether we do validation up front or (possibly) much later when a match occurs.
Having attempted some validation I'm wondering if it really makes sense to have something like:
a/b@sha256:abcd*ff*11*
Part of me says I would prefer to fix my patterns vis-a-vis baking policy in and then having to wait for a binary release should things go south.
There was a problem hiding this comment.
therre is the perennial risk that image specifications chnage underneath our feet
pretty sure we'd have other updates to make in that case as well. I'd rather start as limited as possible to address known use cases and expand further if needed.
| return allErrs | ||
| } | ||
| for i, rule := range config.Rules { | ||
| if rule.Pattern == "" { |
There was a problem hiding this comment.
limit the charset in pattern to just characters valid in an image spec and *
There was a problem hiding this comment.
If we do checking in validation then by the time this is exercised only have valid patterns. Basically, you either have a correct config, or you don't. This is an internal call so validation should prevent you getting this far with a bad pattern.
There was a problem hiding this comment.
this is where you would do that validation
There was a problem hiding this comment.
Yep, agreed. I had your two comments the wrong way round in my head.
There was a problem hiding this comment.
limit the charset in pattern to just characters valid in an image spec and *
Done.
| ) | ||
|
|
||
| // SchemeGroupVersion is group version used to register these objects | ||
| var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: "v1"} |
There was a problem hiding this comment.
@deads2k are we putting new config types in groups now? apiserver.config.openshift.io? I couldn't find any other config types in origin yet
There was a problem hiding this comment.
@deads2k are we putting new config types in groups now? apiserver.config.openshift.io? I couldn't find any other config types in origin yet
"webconsole.config.openshift.io" from here https://github.com/openshift/api/blob/master/webconsole/v1/register.go#L10
For admission plugins it's going to be a question of versioning cadence. Because our admission plugins will be used in the openshift apiserver, I'm inclined to go "admission.config.openshift.io" without further subdivision.
There was a problem hiding this comment.
For admission plugins it's going to be a question of versioning cadence. Because our admission plugins will be used in the openshift apiserver, I'm inclined to go "admission.config.openshift.io" without further subdivision.
Is there any change I need to make here?
There was a problem hiding this comment.
here:
var GroupName = "admission.config.openshift.io"
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
in the internal register.go:
var GroupName = "admission.config.openshift.io"
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
wherever you have config data you load:
apiVersion: admission.config.openshift.io/v1
|
I didn't review the bash script |
I know @sjenning has run it successfully on two online nodes, so it has been exercised in the wild. |
This plugin allows administrators to set a policy for bare image names. A "bare" image name is a docker image reference that contains no domain component (e.g., "repository.io", "docker.io", etc). The preferred domain component to use, and hence pull from, for a bare image name is computed from a set of path-based pattern matching rules defined in the admission configuration. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1518378
frobware
force-pushed
the
qualify-images
branch
from
5f13704 to
8bc3e07
Compare
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: frobware, liggitt The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 18129, 18152, 17403, 18020, 18165). |
Automatic merge from submit-queue (batch tested with PRs 18225, 18351, 18331, 18340, 18326). UPSTREAM: 58955: pkg: kubelet: do not assume anything about images names kubernetes/kubernetes#58955 removes the need for #18020 see history: kubernetes/kubernetes#51751 kubernetes/kubernetes#52110 kubernetes/kubernetes#53161 @liggitt @derekwaynecarr @frobware @mrunalp @runcom
Automatic merge from submit-queue (batch tested with PRs 18225, 18351, 18331, 18340, 18326). UPSTREAM: 58955: pkg: kubelet: do not assume anything about images names kubernetes#58955 removes the need for openshift/origin#18020 see history: kubernetes#51751 kubernetes#52110 kubernetes#53161 @liggitt @derekwaynecarr @frobware @mrunalp @runcom Origin-commit: d91de347457d7f6f3d1859c671c7355cc193d038
Automatic merge from submit-queue (batch tested with PRs 18624, 18605). Revert "Admission plugin: openshift.io/ImageQualify" This reverts commit 8bc3e07. #18020 Render unneeded by upstream kubernetes/kubernetes#58955 and Origin pick #18340 Will live on forever in git history if we find a use case for it later.
Automatic merge from submit-queue (batch tested with PRs 18225, 18351, 18331, 18340, 18326). UPSTREAM: 58955: pkg: kubelet: do not assume anything about images names kubernetes#58955 removes the need for openshift/origin#18020 see history: kubernetes#51751 kubernetes#52110 kubernetes#53161 @liggitt @derekwaynecarr @frobware @mrunalp @runcom Origin-commit: d91de347457d7f6f3d1859c671c7355cc193d038
This plugin allows administrators to set a policy for bare image names. A "bare" image name is a docker image reference that contains no domain component (e.g., "repository.io", "docker.io", etc).
The preferred domain component to use, and hence pull from, for a bare image name is computed from a set of path-based pattern matching rules defined in the admission configuration.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1518378