Image policy is resolving images on replica sets by default

[smarterclayton]

Even when local names are not requested, the image policy plugin is
deciding to rewrite image references in replica sets that point to the
integrated registry (with tags) to use digests. This causes the
deployment controller that created them to get wedged (because it
detects a change to the template) and become unable to update status on
that replica set.

https://bugzilla.redhat.com/show_bug.cgi?id=1481801

[smarterclayton]

/retest On Aug 18, 2017, at 8:55 PM, OpenShift CI Robot <notifications@github.com> wrote: @smarterclayton <https://github.com/smarterclayton>: The following tests *failed*, say /retest to rerun them all: Test name Commit Details Rerun command ci/openshift-jenkins/extended_conformance_gce db9e95e <db9e95e> link <https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_conformance_gce/6268> /test extended_conformance_gce ci/openshift-jenkins/extended_conformance_install_update 33aef8c <33aef8c> link <https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_conformance_install_update/4433> /test extended_conformance_install_update Full PR test history <https://openshift-gce-devel.appspot.com/pr/15868>. Your PR dashboard <https://openshift-gce-devel.appspot.com/pr/smarterclayton>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/openshift/origin/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://github.com/kubernetes/community/blob/master/contributors/devel/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://github.com/kubernetes/test-infra/blob/master/commands.md>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#15868 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p1MmTn_3tNhXhrCwB81PmrKRRMmfks5sZjJygaJpZM4O8GSl> .

[tnozicka]

the other option would be to check if such object has a controllerRef set - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md

[smarterclayton]

We don't pipe through the full object today, but that is an option. I do think that initializers that mutate the target object will be important in the future - we may just not have thought through this enough upstream yet. Direct hash checking has problems - perhaps mutating admission controllers should have a way to signal that a deliberate mutation occurred and collision should be avoided. For now this is probably the simplest fix, and in 3.7 maybe you and I can start a discussion with @Kargakis and others about this On Aug 19, 2017, at 5:45 AM, Tomáš Nožička <notifications@github.com> wrote: *@tnozicka* commented on this pull request. the other option would be to check if such object has a controllerRef set - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/controller-ref.md — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#15868 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_pxghrge53sZR7UsqKkrCdBLKSq8Aks5sZq7NgaJpZM4O8GSl> .

[tnozicka]

/test extended_conformance_install_update

[tnozicka]

extended_conformance_install_update is blocked on #15874

[tnozicka]

few comments; lgtm otherwise for short term

[tnozicka]

@smarterclayton I have tried it with master and it behaved like AttemptRewrite notAttempt there. But maybe the backwards compatibility is w.r.t. something else?

With that said Attempt seems like more reasonable default option.

[smarterclayton]

Master rewriting is a bug, and that's caused by local namespace resolution. If you look a few lines up the ResolveImage global (on the config) is defaulting to Attempt, and that's what we're controlling for here. What went into 3.6 was too aggressive.

[tnozicka]

Not by default, but explicitly set Attempt. (Default is AttemptRewrite.)

[smarterclayton]

I'm going to change the build, that was wrong.

[tnozicka]

In future if this plugin would mutate only top level objects which can be found by not having ownerRef (which all controllers set) this kind of issues would go away I think.

Like it would resolve the image only in Deployment itself and left RS and Pod with controllerRef set alone.

Unless there is a use case for mutating controlled objects.

[smarterclayton]

I think there is a use case for mutating controlled objects - I explicitly want to be able to default replication controllers at time of snapshot

[smarterclayton]

/retest

[tnozicka]

In that case we need to work on supporting that upstream as you said and back it up with an use case / example.

[tnozicka]

networking/GitHub failed
/test extended_conformance_install_update

[tnozicka]

new day; let's give it another shot
/test extended_conformance_install_update

[tnozicka]

@openshift/api-review needs API review :)

[smarterclayton]

Updated to make builds Attempt instead of AttemptRewrite

[smarterclayton]

@liggitt need you to do quick API review. 3.6 is broken, in that rewrite should not happen unless requested. Now, resolution rules override / more specific than the default resolution.

[tnozicka]

nits in comments; lgtm otherwise

[tnozicka]

I don't mean to bikeshed on this but I don't get the meaning of rewrite attempted when the line bellow says Attempt, not AttemptRewrite?

[smarterclayton]

This is for resolution (do we look up this image value for possible application of rules).

[tnozicka]

actually build has Attempt by default; the rest holds true

[smarterclayton]

Updated with feedback from @liggitt

Rename Type to Policy. When defaulting ResolutionRules, default Policy to whatever the value of the top level ResolveImages value is, IF an execution rule is defined that references that resource (backwards compatible).

Makes Policy required so that users can't accidentally footgun themselves.

[smarterclayton]

/retest Prometheus flake fixed (or reduced) in another PR

[liggitt]

can group be *?

[smarterclayton]

No, no compelling reason. apps could legitimately have a resource wildcard, but everything on the server seemed a stretch.

[liggitt]

nit: break

[mfojtik]

@smarterclayton this will require ansible update to set the resolutionRules ?

[liggitt]

API looks fine, just nits. make sure there's a release note about the new required field

[smarterclayton]

@mfojtik no we rely on defaulting today

Will fix the nits and repost in a short time.

[smarterclayton]

denitted

[mfojtik]

/lgtm

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mfojtik, smarterclayton

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• pkg/image/OWNERS [mfojtik,smarterclayton]
• pkg/oc/bootstrap/OWNERS [mfojtik,smarterclayton]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[tnozicka]

/retest

[tnozicka]

/test extended_conformance_install_update

[tnozicka]

flake #15977
/test extended_conformance_install_update

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[openshift-merge-robot]

Automatic merge from submit-queue