Force image pull policy to always

This is required in a multitenant environment so that users can be assured that their private images can only be used by those who have the credentials to pull them. If image pull policy is not always, once an image has been pulled to a node, any container from any user can use it simply by knowing the image’s name without any authorization check against the image. Depends-On: https://review.openstack.org/#/c/650591/ Change-Id: I1521a0d5089437ac658ee367fadb5b6bec72276f
2019-04-07 16:06:30 +00:00 · 2019-04-07 16:06:30 +00:00 · b2c812f453
parent df210e2204
commit b2c812f453
5 changed files with 20 additions and 5 deletions
--- a/zun/api/controllers/v1/capsules.py
+++ b/zun/api/controllers/v1/capsules.py
@ -211,6 +211,9 @@ class CapsuleController(base.Controller):

        merged_containers_spec = init_containers_spec + containers_spec
        for container_spec in merged_containers_spec:
+            if container_spec.get('image_pull_policy'):
+                policy.enforce(context, "container:create:image_pull_policy",
+                               action="container:create:image_pull_policy")
            container_dict = container_spec
            container_dict['project_id'] = context.project_id
            container_dict['user_id'] = context.user_id
--- a/zun/api/controllers/v1/containers.py
+++ b/zun/api/controllers/v1/containers.py
@ -395,6 +395,9 @@ class ContainersController(base.Controller):
            container_dict.get('image_driver'))
        if not container_dict['image_driver']:
            container_dict['image_driver'] = CONF.default_image_driver
+        if container_dict.get('image_pull_policy'):
+            policy.enforce(context, "container:create:image_pull_policy",
+                           action="container:create:image_pull_policy")

        container_dict['project_id'] = context.project_id
        container_dict['user_id'] = context.user_id
--- a/zun/common/policies/container.py
+++ b/zun/common/policies/container.py
@ -52,6 +52,18 @@ rules = [
            }
        ]
    ),
+    policy.DocumentedRuleDefault(
+        name=CONTAINER % 'create:image_pull_policy',
+        check_str=base.RULE_ADMIN_API,
+        description=('Create a new container with specified image pull '
+                     'policy.'),
+        operations=[
+            {
+                'path': '/v1/containers',
+                'method': 'POST'
+            }
+        ]
+    ),
    policy.DocumentedRuleDefault(
        name=CONTAINER % 'delete',
        check_str=base.RULE_ADMIN_OR_OWNER,
--- a/zun/common/utils.py
+++ b/zun/common/utils.py
@ -247,10 +247,7 @@ def check_container_id(function):

 def get_image_pull_policy(image_pull_policy, image_tag):
    if not image_pull_policy:
-        if image_tag == 'latest' or not image_tag:
-            image_pull_policy = 'always'
-        else:
-            image_pull_policy = 'ifnotpresent'
+        image_pull_policy = 'always'
    return image_pull_policy


--- a/zun/tests/unit/common/test_utils.py
+++ b/zun/tests/unit/common/test_utils.py
@ -92,7 +92,7 @@ class TestUtils(base.TestCase):
        self.assertEqual('always',
                         utils.get_image_pull_policy(None,
                                                     'latest'))
-        self.assertEqual('ifnotpresent',
+        self.assertEqual('always',
                         utils.get_image_pull_policy(None,
                                                     '2.0'))