config/v1/types_cluster_version: Explain image and version both set

Catching up with openshift/cluster-version-operator@9be6175c5f (pkg/cvo/sync_worker: Make expected/actual version mismatch fatal, 2020-08-09, openshift/cluster-version-operator#431), which uses the 'version' property as a sanity check for "is this pullspec the version I'm expecting?". This protects users from compromised or man-in-the-middled upstream update services who attempt downgrade and similar attacks by misrepresenting a recommended update. The text I'm adjusting landed in 354e2fb (config/v1/types_cluster_version: Add Architecture to DesiredUpdate, 2022-12-07, #1339), but version-ignoring was never implemented, so nobody can be relying on that nominal behavior. And as the man-in-the-middle use case demonstrates, version-ignoring would be less safe than the version-match-enforcing behavior that the cluster-version operator has used since 2020.
openshift · Jan 20, 2025 · 965895d · 965895d
1 parent 366ffb8
commit 965895d
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/config/v1/types_cluster_version.go b/config/v1/types_cluster_version.go
@@ -62,7 +62,7 @@ type ClusterVersionSpec struct {
 	//
 	// Some of the fields are inter-related with restrictions and meanings described here.
 	// 1. image is specified, version is specified, architecture is specified. API validation error.
-	// 2. image is specified, version is specified, architecture is not specified. You should not do this. version is silently ignored and image is used.
+	// 2. image is specified, version is specified, architecture is not specified. The version metadata in the referenced image must match the specified version.
 	// 3. image is specified, version is not specified, architecture is specified. API validation error.
 	// 4. image is specified, version is not specified, architecture is not specified. image is used.
 	// 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image.
@@ -702,16 +702,16 @@ type Update struct {
 	Architecture ClusterVersionArchitecture `json:"architecture"`
 
 	// version is a semantic version identifying the update version.
-	// version is ignored if image is specified and required if
-	// architecture is specified.
+	// version is required if architecture is specified.
+	// If both version and image are set, the version metadata in the referenced image must match the specified version.
 	//
 	// +optional
 	Version string `json:"version"`
 
 	// image is a container image location that contains the update.
 	// image should be used when the desired version does not exist in availableUpdates or history.
-	// When image is set, version is ignored. When image is set, version should be empty.
 	// When image is set, architecture cannot be specified.
+	// If both version and image are set, the version metadata in the referenced image must match the specified version.
 	//
 	// +optional
 	Image string `json:"image"`