WIP: OCPBUGS-59995: remove unqualified search registries

[haircommander]

- What I did
Openshift should require all search registries be fully qualified. short names have security risks (domain squatting being the primary). Users should be specifying FQDN and ideally SHA to pull an image, though tag is acceptable if the stream is trusted. Help enforce this by disabling unqualified search registries

- How to verify it

- Description for the changelog

[openshift-ci-robot]

@haircommander: This pull request references Jira Issue OCPBUGS-59995, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @mike-nguyen

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did
Openshift should require all search registries be fully qualified. short names have security risks (domain squatting being the primary). Users should be specifying FQDN and ideally SHA to pull an image, though tag is acceptable if the stream is trusted. Help enforce this by disabling unqualified search registries

- How to verify it

- Description for the changelog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• templates/arbiter/01-arbiter-container-runtime/OWNERS [haircommander]
• templates/master/01-master-container-runtime/OWNERS [haircommander]
• templates/worker/01-worker-container-runtime/OWNERS [haircommander]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[haircommander]

very possible this breaks a bunch of stuff.. If we go this route we will want to add this file back as an MC in the 4.19->4.20 upgrade to not break users (similar to how we handled crun/runc, cgroupv1/v2 or capabilities)

[openshift-ci]

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agent-compact-ipv4	afeddd3	link	false	/test e2e-agent-compact-ipv4
ci/prow/e2e-aws-ovn-upgrade-out-of-change	afeddd3	link	false	/test e2e-aws-ovn-upgrade-out-of-change
ci/prow/e2e-aws-ovn-windows	afeddd3	link	false	/test e2e-aws-ovn-windows
ci/prow/bootstrap-unit	afeddd3	link	false	/test bootstrap-unit
ci/prow/e2e-hypershift	afeddd3	link	true	/test e2e-hypershift
ci/prow/e2e-azure-ovn-upgrade-out-of-change	afeddd3	link	false	/test e2e-azure-ovn-upgrade-out-of-change
ci/prow/e2e-gcp-op-ocl	afeddd3	link	false	/test e2e-gcp-op-ocl
ci/prow/okd-scos-e2e-aws-ovn	afeddd3	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-mco-disruptive	afeddd3	link	false	/test e2e-aws-mco-disruptive
ci/prow/unit	afeddd3	link	true	/test unit
ci/prow/e2e-gcp-op-2of2	afeddd3	link	true	/test e2e-gcp-op-2of2
ci/prow/e2e-gcp-op-single-node	afeddd3	link	true	/test e2e-gcp-op-single-node
ci/prow/e2e-aws-ovn-upgrade	afeddd3	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-mco-disruptive	afeddd3	link	false	/test e2e-gcp-mco-disruptive
ci/prow/e2e-aws-ovn	afeddd3	link	true	/test e2e-aws-ovn
ci/prow/e2e-gcp-op-1of2	afeddd3	link	true	/test e2e-gcp-op-1of2

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jlebon]

AIUI, that MC was overriding the default registries.conf, which also has an unqualified-search-registries entry.

So the net effect of this I think is that unqualified-search-registries reverts back to:

$ podman run --rm -ti docker://$(oc adm release info --image-for=rhel-coreos quay.io/openshift-release-dev/ocp-release:4.20.0-ec.5-x86_64) grep unqualified-search-registries /etc/containers/registries.conf
unqualified-search-registries = ["registry.access.redhat.com", "registry.redhat.io", "docker.io"]

But regardless, I'm not sure there's a reason to try to get rid of any inherited unqualified-search-registries from RHEL if we ensure we're always in short-name-mode = "enforcing". Since we're operating without a TTY in those contexts, it's equivalent to never resorting to unqualified-search-registries.

I think cri-o/cri-o#9401 is all we need.