openshift-controller-manager doesn't seem to respect MirrorSet and pull secret configs

[leonklingele]

The "openshift-controller-manager" doesn't seem to respect cluster MirrorSet and pull secret configs.

Steps to reproduce:

1. Provision a new cluster using one of the supported methods.
2. Observe egress traffic of the cluster. Several HTTP requests to "docker.io" are made every hour.
3. Create a ImageDigestMirrorSet and ImageTagMirrorSet resource to prevent direct requests to "docker.io" and instead proxy them over a specified mirror. See the YAML definitions [0] and [1].
4. Again observe egress traffic of the cluster. Even with these resources applied, requests to "docker.io" are still made every hour.

This gets us to a rate-limit on docker.io rather quickly. We even tried to configure a cluster pull secret for docker.io, although this secret doesn't seem to be used for authenticating those specific requests.

The behavior of periodic pulls (or, more precisely, manifest fetches) has also been observed here by another user: https://serverfault.com/questions/1116219/openshift-docker-rate-limit-and-regular-pulls

The requests to docker.io are made due to the community samples operator adding several sample images from docker.io to the cluster (see the output of oc get images | grep docker.io). To stop those requests from occurring, the community samples operator needs to be disabled (via oc patch OperatorHub/cluster --type=merge --patch='{"spec":{"sources":[{"name":"community-operators","disabled":true}]}}) and all image references to docker.io removed (via oc get images | grep docker.io | cut -d " " -f1 | xargs --verbose -I{} oc delete image "{}").

[0]:

apiVersion: config.openshift.io/v1
kind: ImageDigestMirrorSet
metadata:
  name: dockerio-digest-mirror
spec:
  imageDigestMirrors:
    - mirrorSourcePolicy: NeverContactSource
      mirrors:
        - your-docker-proxy.com
      source: docker.io

[1]:

apiVersion: config.openshift.io/v1
kind: ImageTagMirrorSet
metadata:
  name: dockerio-tag-mirror
spec:
  imageTagMirrors:
    - mirrorSourcePolicy: NeverContactSource
      mirrors:
        - your-docker-proxy.com
      source: docker.io

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[leonklingele]

/remove-lifecycle rotten

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[leonklingele]

/remove-lifecycle rotten

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[leonklingele]

/remove-lifecycle rotten

[leonklingele]

/remove-lifecycle stale