Force image pull policy to always
This is required in a multitenant environment so that users can be assured that their private images can only be used by those who have the credentials to pull them. If image pull policy is not always, once an image has been pulled to a node, any container from any user can use it simply by knowing the image’s name without any authorization check against the image. Depends-On: https://review.openstack.org/#/c/650591/ Change-Id: I1521a0d5089437ac658ee367fadb5b6bec72276f
This commit is contained in:
parent
df210e2204
commit
b2c812f453
|
@ -211,6 +211,9 @@ class CapsuleController(base.Controller):
|
|||
|
||||
merged_containers_spec = init_containers_spec + containers_spec
|
||||
for container_spec in merged_containers_spec:
|
||||
if container_spec.get('image_pull_policy'):
|
||||
policy.enforce(context, "container:create:image_pull_policy",
|
||||
action="container:create:image_pull_policy")
|
||||
container_dict = container_spec
|
||||
container_dict['project_id'] = context.project_id
|
||||
container_dict['user_id'] = context.user_id
|
||||
|
|
|
@ -395,6 +395,9 @@ class ContainersController(base.Controller):
|
|||
container_dict.get('image_driver'))
|
||||
if not container_dict['image_driver']:
|
||||
container_dict['image_driver'] = CONF.default_image_driver
|
||||
if container_dict.get('image_pull_policy'):
|
||||
policy.enforce(context, "container:create:image_pull_policy",
|
||||
action="container:create:image_pull_policy")
|
||||
|
||||
container_dict['project_id'] = context.project_id
|
||||
container_dict['user_id'] = context.user_id
|
||||
|
|
|
@ -52,6 +52,18 @@ rules = [
|
|||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'create:image_pull_policy',
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
description=('Create a new container with specified image pull '
|
||||
'policy.'),
|
||||
operations=[
|
||||
{
|
||||
'path': '/v1/containers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=CONTAINER % 'delete',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
|
|
@ -247,10 +247,7 @@ def check_container_id(function):
|
|||
|
||||
def get_image_pull_policy(image_pull_policy, image_tag):
|
||||
if not image_pull_policy:
|
||||
if image_tag == 'latest' or not image_tag:
|
||||
image_pull_policy = 'always'
|
||||
else:
|
||||
image_pull_policy = 'ifnotpresent'
|
||||
image_pull_policy = 'always'
|
||||
return image_pull_policy
|
||||
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ class TestUtils(base.TestCase):
|
|||
self.assertEqual('always',
|
||||
utils.get_image_pull_policy(None,
|
||||
'latest'))
|
||||
self.assertEqual('ifnotpresent',
|
||||
self.assertEqual('always',
|
||||
utils.get_image_pull_policy(None,
|
||||
'2.0'))
|
||||
|
||||
|
|
Loading…
Reference in New Issue