OCPNODE-1632: Implement ImagePolicy and ClusterImagePolicy

[QiWang19]

- What I did
Follow the design from the enhancement. Add the implementation to ContainerruntimConfig controller for policy.json configuration.
- How to verify it

- Description for the changelog

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@QiWang19: This pull request references OCPNODE-1632 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

- What I did

- How to verify it
Follow the design from the enhancement. Add the implementation to ContainerruntimConfig controller for policy.json configuration.
- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[QiWang19]

ready for review.

[QiWang19]

/retest

[openshift-ci-robot]

@QiWang19: This pull request references OCPNODE-1632 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

- What I did
Follow the design from the enhancement. Add the implementation to ContainerruntimConfig controller for policy.json configuration.
- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mtrmac]

CRI-O has to this point no ability to correctly implement per-namespace policies (that has stalled in cri-o/cri-o#7046 , and my further work on that is tracked in https://issues.redhat.com/browse/RUN-1980 ), so isn’t this rather premature?

Of course the code proposed in this PR could be reviewed concurrently, but I don’t think it makes sense to merge it.

[mtrmac]

Alternatively, it might make sense to add the feature that adds a CR to configure the cluster-wide-global /etc/container/policy.json, right now — if that can be reasonably isolated from the other parts of the approved enhancement. It’s just the per-namespace policies that are not currently possible.

[saschagrunert]

@mtrmac thank you for the clarification! Do you have plans to continue the CRI-O work (RUN-1980) in the near future?

[mtrmac]

I’m definitely interested seeing this through to completion, after all the effort, but I don’t think I can spare the time in the next ~month at least.

[mtrmac]

Note https://issues.redhat.com/browse/OTA-1170 ; AFAICS that would benefit from MCO implementing ClusterImagePolicy .

[saschagrunert]

I agree that sounds like a plan. If we can deliver the namespaced policies in CRI-O v1.30 (late April) then we can pull those into the MCO implementation afterwards.

Focusing on the cluster policy sounds totally reasonable for now. 👍

[QiWang19]

@mtrmac @saschagrunert PR #4160 implementing ClusterImagePolicy is ready for review.

[wking]

I understand that that (Cluster)ImagePolicy -> MachineConfig pipe needs the read-access verbs. But I'm not clear on why this system:openshift:machine-config-operator:cluster-reader role would need update write access. Am I missing something?

[QiWang19]

Will clean this up.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: QiWang19
Once this PR has been reviewed and has the lgtm label, please assign djoshy for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[QiWang19]

/retest

[QiWang19]

/test e2e-gcp-op-techpreview

[openshift-ci]

@QiWang19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack	84416e6	link	false	/test e2e-openstack
ci/prow/e2e-aws-ovn-upgrade-out-of-change	41fa961	link	false	/test e2e-aws-ovn-upgrade-out-of-change
ci/prow/e2e-gcp-op-single-node	41fa961	link	true	/test e2e-gcp-op-single-node
ci/prow/e2e-azure-ovn-upgrade-out-of-change	41fa961	link	false	/test e2e-azure-ovn-upgrade-out-of-change
ci/prow/e2e-hypershift	41fa961	link	true	/test e2e-hypershift
ci/prow/e2e-aws-ovn-upgrade	41fa961	link	true	/test e2e-aws-ovn-upgrade
ci/prow/images	41fa961	link	true	/test images
ci/prow/e2e-gcp-op	41fa961	link	true	/test e2e-gcp-op
ci/prow/okd-scos-e2e-aws-ovn	41fa961	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/unit	41fa961	link	true	/test unit
ci/prow/e2e-aws-ovn	41fa961	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[QiWang19]

/test e2e-gcp-op-techpreview

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.