Skip to content

Commit 3796d2e

Browse files
smarterclaytonsmarterclayton
committed
Add the default image policy to bootstrap bindata
1 parent c7eb1bc commit 3796d2e

File tree

4 files changed

+78
-1
lines changed

4 files changed

+78
-1
lines changed

pkg/bootstrap/bindata.go

Lines changed: 53 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/cmd/server/start/master_args.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,16 @@ import (
1515
"k8s.io/kubernetes/pkg/runtime"
1616
"k8s.io/kubernetes/pkg/util"
1717
"k8s.io/kubernetes/pkg/util/sets"
18+
"k8s.io/kubernetes/pkg/util/yaml"
1819

20+
"github.com/openshift/origin/pkg/bootstrap"
1921
"github.com/openshift/origin/pkg/cmd/flagtypes"
2022
"github.com/openshift/origin/pkg/cmd/server/admin"
2123
configapi "github.com/openshift/origin/pkg/cmd/server/api"
2224
configapiv1 "github.com/openshift/origin/pkg/cmd/server/api/v1"
2325
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
2426
cmdutil "github.com/openshift/origin/pkg/cmd/util"
27+
imagepolicyapi "github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
2528
"github.com/spf13/cobra"
2629
)
2730

@@ -314,6 +317,23 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig
314317
config.ServiceAccountConfig.PublicKeyFiles = []string{}
315318
}
316319

320+
// embed a default policy for generated config
321+
defaultImagePolicy, err := bootstrap.Asset("pkg/image/admission/imagepolicy/api/v1/default-policy.yaml")
322+
if err != nil {
323+
return nil, fmt.Errorf("unable to find default image admission policy: %v", err)
324+
}
325+
// TODO: this should not be necessary, runtime.Unknown#MarshalJSON should handle YAML content type correctly
326+
defaultImagePolicy, err = yaml.ToJSON(defaultImagePolicy)
327+
if err != nil {
328+
return nil, err
329+
}
330+
if config.AdmissionConfig.PluginConfig == nil {
331+
config.AdmissionConfig.PluginConfig = make(map[string]configapi.AdmissionPluginConfig)
332+
}
333+
config.AdmissionConfig.PluginConfig[imagepolicyapi.PluginName] = configapi.AdmissionPluginConfig{
334+
Configuration: &runtime.Unknown{Raw: defaultImagePolicy},
335+
}
336+
317337
internal, err := applyDefaults(config, configapiv1.SchemeGroupVersion)
318338
if err != nil {
319339
return nil, err

test/cmd/images_tests.sh

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,18 @@ os::cmd::expect_success_and_text 'oc get istag' 'wildfly'
5353

5454
# create an image stream and post a mapping to it
5555
os::cmd::expect_success 'oc create imagestream test'
56-
os::cmd::expect_success 'oc create -f test/fixtures/mysql-image-stream-mapping.yaml'
56+
os::cmd::expect_success 'oc create -f test/testdata/mysql-image-stream-mapping.yaml'
5757
os::cmd::expect_success_and_text 'oc get istag/test:new --template="{{ index .image.dockerImageMetadata.Config.Entrypoint 0 }}"' "docker-entrypoint.sh"
5858
os::cmd::expect_success_and_text 'oc get istag/test:new -o jsonpath={.image.metadata.name}' 'sha256:b2f400f4a5e003b0543decf61a0a010939f3fba07bafa226f11ed7b5f1e81237'
5959
# reference should point to the current repository, and that repository should match the reported dockerImageRepository for pushes
6060
repository="$( oc get is/test -o jsonpath='{.status.dockerImageRepository}' )"
6161
os::cmd::expect_success_and_text 'oc get istag/test:new -o jsonpath={.image.dockerImageReference}' "^$repository@sha256:b2f400f4a5e003b0543decf61a0a010939f3fba07bafa226f11ed7b5f1e81237"
6262
os::cmd::expect_success_and_text 'oc get istag/test:new -o jsonpath={.image.dockerImageReference}' "/$project/test@sha256:b2f400f4a5e003b0543decf61a0a010939f3fba07bafa226f11ed7b5f1e81237"
6363

64+
repository="$( oc get is/test -o jsonpath='{.status.dockerImageRepository}' )"
65+
os::cmd::expect_success 'oc annotate --overwrite image/sha256:b2f400f4a5e003b0543decf61a0a010939f3fba07bafa226f11ed7b5f1e81237 images.openshift.io/deny-execution=true'
66+
os::cmd::expect_failure_and_text "oc run vulnerable --image=${repository}:new --restart=Never" 'spec.containers\[0\].image: Forbidden: this image is prohibited by policy'
67+
6468
# test image stream tag operations
6569
os::cmd::expect_success_and_text 'oc get istag/wildfly:latest -o jsonpath={.generation}' '2'
6670
os::cmd::expect_success_and_text 'oc get istag/wildfly:latest -o jsonpath={.tag.from.kind}' 'ImageStreamTag'

test/fixtures/mysql-image-stream-mapping.yaml renamed to test/testdata/mysql-image-stream-mapping.yaml

File renamed without changes.

0 commit comments

Comments
 (0)