Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional registry whitelisting #17783

Merged
merged 2 commits into from
Jan 20, 2018
Merged

Additional registry whitelisting #17783

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ead80b8
Additional registry whitelisting
Dec 4, 2017
dd4851b
Addressed comments
Jan 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion hack/lib/start.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,21 @@ readonly -f os::start::internal::configure_master
# - ETCD_PEER_PORT
# - USE_SUDO
# - MAX_IMAGES_BULK_IMPORTED_PER_REPOSITORY
# - ADDITIONAL_ALLOWED_REGISTRIES
# Returns:
# - export ADMIN_KUBECONFIG
# - export CLUSTER_ADMIN_CONTEXT
function os::start::internal::patch_master_config() {
local sudo=${USE_SUDO:+sudo}

readarray -t allowed_registries <<<"$(sed -n \
'/^imagePolicyConfig/,/^[^[:space:]]/s/.*domainName:\s*'"'"'\?\([^'"'"']\+\).*/\1/p' \
"${SERVER_CONFIG_DIR}/master/master-config.yaml")"
for reg in "${ADDITIONAL_ALLOWED_REGISTRIES[@]:-}"; do
[[ -z "${reg:-}" ]] && continue
allowed_registries+=( "${reg}" )
done

cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig.yaml"
oc ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig.yaml" --patch="{\"etcdConfig\": {\"address\": \"${API_HOST}:${ETCD_PORT}\"}}" | \
oc ex config patch - --patch="{\"admissionConfig\": {\"pluginConfig\": {\"openshift.io/ImagePolicy\": {\"configuration\": {\"apiVersion\": \"v1\", \"executionRules\": [{\"matchImageAnnotations\": [{\"key\": \"images.openshift.io/deny-execution\", \"value\": \"true\"}], \"name\": \"execution-denied\", \"onResources\": [{\"resource\": \"pods\"}, {\"resource\": \"builds\"}], \"reject\": true, \"skipOnResolutionFailure\": true }], \"kind\": \"ImagePolicyConfig\" }, \"location\": \"\"}}}}" | \
Expand All @@ -168,7 +178,9 @@ function os::start::internal::patch_master_config() {
oc ex config patch - --patch="{\"etcdConfig\": {\"peerAddress\": \"${API_HOST}:${ETCD_PEER_PORT}\"}}" | \
oc ex config patch - --patch="{\"etcdConfig\": {\"peerServingInfo\": {\"bindAddress\": \"${API_HOST}:${ETCD_PEER_PORT}\"}}}" | \
oc ex config patch - --patch="{\"auditConfig\": {\"enabled\": true}}" | \
oc ex config patch - --patch="{\"imagePolicyConfig\": {\"maxImagesBulkImportedPerRepository\": ${MAX_IMAGES_BULK_IMPORTED_PER_REPOSITORY:-5}}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml"
oc ex config patch - --patch="{\"imagePolicyConfig\": {\"maxImagesBulkImportedPerRepository\": ${MAX_IMAGES_BULK_IMPORTED_PER_REPOSITORY:-5}}}" | \
oc ex config patch - --patch="{\"imagePolicyConfig\":{\"allowedRegistriesForImport\":[$(echo "${allowed_registries[@]}" | xargs printf '{"domainName":"%s"},' | sed 's/,$//')]}}" \
> "${SERVER_CONFIG_DIR}/master/master-config.yaml"

# Make oc use ${MASTER_CONFIG_DIR}/admin.kubeconfig, and ignore anything in the running user's $HOME dir
export ADMIN_KUBECONFIG="${MASTER_CONFIG_DIR}/admin.kubeconfig"
Expand Down
2 changes: 2 additions & 0 deletions hack/test-cmd.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ fi
# profile the web
export OPENSHIFT_PROFILE="${WEB_PROFILE-}"

export ADDITIONAL_ALLOWED_REGISTRIES=( "172.30.30.30:5000" "myregistry.com" "registry.centos.org" )

os::start::configure_server

os::test::junit::declare_suite_start "cmd/version"
Expand Down
17 changes: 17 additions & 0 deletions pkg/image/admission/fake/fake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package fake

import (
imageapi "github.com/openshift/origin/pkg/image/apis/image"
)

type ImageStreamLimitVerifier struct {
ImageStreamEvaluator func(ns string, is *imageapi.ImageStream) error
Err error
}

func (f *ImageStreamLimitVerifier) VerifyLimits(ns string, is *imageapi.ImageStream) error {
if f.ImageStreamEvaluator != nil {
return f.ImageStreamEvaluator(ns, is)
}
return f.Err
}
12 changes: 0 additions & 12 deletions pkg/image/admission/testutil/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,6 @@ func MakeDockerImageReference(ns, isName, imageID string) string {
return fmt.Sprintf("%s/%s/%s@%s", InternalRegistryURL, ns, isName, imageID)
}

type FakeImageStreamLimitVerifier struct {
ImageStreamEvaluator func(ns string, is *imageapi.ImageStream) error
Err error
}

func (f *FakeImageStreamLimitVerifier) VerifyLimits(ns string, is *imageapi.ImageStream) error {
if f.ImageStreamEvaluator != nil {
return f.ImageStreamEvaluator(ns, is)
}
return f.Err
}

// GetFakeImageStreamListHandler creates a test handler that lists given image streams matching requested
// namespace. Additionally, a shared image stream will be listed if the requested namespace is "shared".
func GetFakeImageStreamListHandler(t *testing.T, iss ...imageapi.ImageStream) clientgotesting.ReactionFunc {
Expand Down
2 changes: 1 addition & 1 deletion pkg/image/apis/image/test/conversion_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/kubernetes/pkg/api/legacyscheme"

"github.com/openshift/api/image/v1"
newer "github.com/openshift/origin/pkg/image/apis/image"
"github.com/openshift/origin/pkg/image/apis/image/v1"

_ "github.com/openshift/origin/pkg/image/apis/image/install"
)
Expand Down
25 changes: 25 additions & 0 deletions pkg/image/apis/image/validation/fake/fake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package fake

import (
imageapi "github.com/openshift/origin/pkg/image/apis/image"
"github.com/openshift/origin/pkg/image/apis/image/validation/whitelist"
)

type RegistryWhitelister struct{}

func (rw *RegistryWhitelister) AdmitHostname(host string, transport whitelist.WhitelistTransport) error {
return nil
}
func (rw *RegistryWhitelister) AdmitPullSpec(pullSpec string, transport whitelist.WhitelistTransport) error {
return nil
}
func (rw *RegistryWhitelister) AdmitDockerImageReference(ref *imageapi.DockerImageReference, transport whitelist.WhitelistTransport) error {
return nil
}
func (rw *RegistryWhitelister) WhitelistRegistry(hostPortGlob string, transport whitelist.WhitelistTransport) error {
return nil
}
func (rw *RegistryWhitelister) WhitelistPullSpecs(pullSpec ...string) {}
func (rw *RegistryWhitelister) Copy() whitelist.RegistryWhitelister {
return &RegistryWhitelister{}
}
Loading