Skip to content

let builders create new imagestreams for pushes #9066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 2, 2016
Merged

let builders create new imagestreams for pushes #9066

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pkg/cmd/server/bootstrappolicy/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
Rules: []authorizationapi.PolicyRule{
// push and pull images
authorizationapi.NewRule("get", "update").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
// allow auto-provisioning when pushing an image that doesn't have an imagestream yet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we always want builders to have this power?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we always want builders to have this power?

I can't think of a reasonable reason not to. If a cluster-admin comes up with one, he can change the default role.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this allow custom builders to create imagestream for arbitrary images?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this allow custom builders to create imagestream for arbitrary images?

Yes, but given push rights, they can destroy any existing one already. The ability to create new ones doesn't do much if nothing is wired to use them.

authorizationapi.NewRule("create").Groups(imageGroup).Resources("imagestreams").RuleOrDie(),
authorizationapi.NewRule("update").Groups(buildGroup).Resources("builds/details").RuleOrDie(),
},
},
Expand Down
2 changes: 2 additions & 0 deletions test/end-to-end/core.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,8 @@ os::cmd::try_until_text 'oc get events -n node-selector' 'pod-with-node-name.+No

# Image pruning
echo "[INFO] Validating image pruning"
# builder service account should have the power to create new image streams: prune in this case
os::cmd::expect_success "docker login -u e2e-user -p $(oc sa get-token builder -n cache) -e [email protected] ${DOCKER_REGISTRY}"
os::cmd::expect_success 'docker pull busybox'
os::cmd::expect_success 'docker pull gcr.io/google_containers/pause'
os::cmd::expect_success 'docker pull openshift/hello-openshift'
Expand Down
7 changes: 7 additions & 0 deletions test/fixtures/bootstrappolicy/bootstrap_cluster_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1221,6 +1221,13 @@ items:
verbs:
- get
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- imagestreams
verbs:
- create
- apiGroups:
- ""
attributeRestrictions: null
Expand Down