Skip to content

OCPNODE-1632: Support ClusterImagePolicy CRD #4160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Apr 11, 2024
Merged

OCPNODE-1632: Support ClusterImagePolicy CRD #4160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/machine-config-controller/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ func createControllers(ctx *ctrlcommon.ControllerContext) []ctrlcommon.Controlle
ctx.ConfigInformerFactory.Config().V1().Images(),
ctx.ConfigInformerFactory.Config().V1().ImageDigestMirrorSets(),
ctx.ConfigInformerFactory.Config().V1().ImageTagMirrorSets(),
ctx.ConfigInformerFactory,
ctx.OperatorInformerFactory.Operator().V1alpha1().ImageContentSourcePolicies(),
ctx.ConfigInformerFactory.Config().V1().ClusterVersions(),
ctx.ClientBuilder.KubeClientOrDie("container-runtime-config-controller"),
Expand Down
98 changes: 98 additions & 0 deletions docs/ClusterImagePolicyDesign.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
## Summary
ClusterImagePolicy CRD is managed by ContainerRuntimeConfig controller. This CRD allows setting up configurations for CRI-O to verify the container images signed using [Sigstore](https://www.sigstore.dev/) tools.

## Goals
Generating corresponding CRI-O configuration files for image signature verification. Rollout ClusterImagePolicy to `/etc/containers/policy.json` for cluster wide configuration. Roll out the registries configuration to `/etc/containers/registries.d/sigstore-registries.yaml`.

## Non-Goals
Rolling out configuration for OCP payload repositories. The (super scope of) OCP payload repositories will not be written to the configuration files.

## CRD
[ClusterImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml)

## Example

Below is an example of a ClusterImagePolicy CRD.

```yaml
apiVersion: config.openshift.io/v1alpha1
kind: ClusterImagePolicy
metadata:
name: p0
spec:
scopes:
- registry.ci.openshift.org
- example.com/global
policy:
rootOfTrust:
policyType: PublicKey
publicKey:
keyData: Zm9vIGJhcg==
signedIdentity:
matchPolicy: MatchRepoDigestOrExact
```

Save the above clusterimagepolicy locally, for example as pubKeyPolicy.yaml.
Now apply the clusterimagepolicy that you created:

```shell
oc apply -f pubKeyPolicy.yaml
```

Check that it was created:

```shell
oc get clusterimagepolicy
NAME AGE
p0 9s

```

## Validation and Troubleshooting
The status.conditions.message field shows if the CR has conflicting scope(s). The below ClusterImagePolicy is in pending status because the scope for OCP release payload is skipped.

```shell
# the clusterimagepolicy has scope registry.build05.ci.openshift.org that is the OCP release payload repository
$ oc describe clusterimagepolicy.config.openshift.io/p0
...
...
Status:
Conditions:
Last Transition Time: 2024-02-04T03:24:36Z
Message: has conflict scope(s) ["registry.build05.ci.openshift.org"] of Openshift payload repository registry.build05.ci.openshift.org/ci-ln-gfmf0yb/release, skip the scope(s)
Observed Generation: 1
Reason: ConflictScopes
Status: True
Type: Pending
```

The machine-config-controller logs will show the error message if the ClusterImagePolicy and Image CR has conflicting configurations. Controller will fail to roll out the CR.
- if blocked registries configured by Image CR exist, the clusterimagepolicy scopes must not equal to or nested under blockedRegistries
- if allowed registries configured by Image CR exist, the clusterimagepolicy scopes nested under the allowedRegistries
For example, the below error message is shown when the ClusterImagePolicy and blockedRegistries of Image CR has conflicting configurations.

```shell
I0204 03:51:18.253145 1 container_runtime_config_controller.go:497] Error syncing image config openshift-config: could not Create/Update MachineConfig: could not update policy json with new changes: clusterimagePolicy configured for the scope example.com/global is nested inside blockedRegistries ```
```

## Implementation Details
The ContainerRuntimeConfigController would perform the following steps:

1. Validate the ClusterImagePolicy objects are not for OCP release payload repositories.

2. Render the current MachineConfigs (storage.files.contents[policy.json]) into the originalPolicyIgn

3. Serialize the cluster level policies to `policy.json`.

4. Add registries configuration to `sigstore-registries.yaml`. This configuration is used to specify the sigstore is being used as the image signature verification backend.

5. Update the ignition file `/etc/containers/policy.json` within the `99-<pool>-generated-registries` MachineConfig.

6. Create or Update the ignition file `/etc/containers/registries.d/sigstore-registries.yaml` within the `99-<pool>-generated-imagepolicies` MachineConfig.

After deletion all of the ClusterImagePolicy instance the config will be reverted to the original policy.json.

## See Also
see **[containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)**, **[containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md)** for more information.


2 changes: 1 addition & 1 deletion hack/crds-sync.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ for crd in "${CRDS_MAPPING[@]}" ; do
done

#this one goes in manifests rather than install, but should it?
cp "vendor/github.com/openshift/api/config/v1alpha1/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml" "install/0000_10_config-operator_01_clusterimagepolicy-TechPreviewNoUpgrade.crd.yaml"
Copy link
Contributor

@yuqi-zhang yuqi-zhang Apr 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically this might conflict with the MCO api PR (and the locations will be moving) but for now this should be ok

cp "vendor/github.com/openshift/api/machineconfiguration/v1/0000_80_controllerconfig.crd.yaml" "manifests/controllerconfig.crd.yaml"
cp "vendor/github.com/openshift/api/machineconfiguration/v1alpha1/0000_80_machineconfignode-TechPreviewNoUpgrade.crd.yaml" "manifests/0000_80_machine-config-operator_01_machineconfignode-TechPreviewNoUpgrade.crd.yaml"
cp "vendor/github.com/openshift/api/operator/v1/0000_80_machine-config-operator_01_config.crd.yaml" "install/0000_80_machine-config-operator_01_config.crd.yaml"

Loading