IRA - ImageRoleAuthorization fails (even without prompting for permissions) when ImageAllowRules for the app gets created as part of app deployment.

[sangee2004]

acorn version - v0.9.1-16-g89212fea+89212fea

Steps to reproduce the problem:

1. Enable both IAR and IRA feature acorn install --features image-allow-rules=true,image-role-authorizations=true
2. Create following IRA

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: acorn:system:cluster-admin
rules:
- apiGroups:
  - 'foo.bar.com'
  resources:
  - '*'
  verbs: ["*"]
---
apiVersion: admin.acorn.io/v1
kind: ImageRoleAuthorization
metadata:
  name: image-role-authz-superadmintest
  namespace: acorn
spec:
  imageSelector:
    namePatterns:
      - "testimage:*"
  roles:
    scopes:
      - cluster
    roleRefs:
      - name: acorn:system:cluster-admin
        kind: ClusterRole

3. Build image using following Acornfile

containers: web: {
    image: "nginx"
    permissions: {
		// These are permissions that will only be granted for this container in its namespace.
		rules: [
      	  {
            verbs: ["*"],
            apiGroups: ["foo.bar.com"],
            resources: ["*"]
}
]
}
}

4. Deploy app using this image and when prompted for allowing the image choose "yes"

acorn run -n mytestnew testimage:v1                            
  •  WARNING:  This application would like to use the image 'testimage:v1'.
                 This image is not trusted by any image allow rules in this project.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? yes (this tag only)
  ✔  Created ImageAllowRules acorn/late-shape with image name patterns [testimage:v1,d59207049ee2552e27d7c350a1e04509d637627285f847b66094d61c2a511bf3]
  ✗  ERROR:  rules needed: [{"serviceName":"web","rules":[{"verbs":["*"],"apiGroups":["foo.bar.com"],"resources":["*"],"scopes":["project"]}]}]

Once IAR for the app gets created , app deployment fails IRA check without prompting for permissions even when the right rules are available for it to succeed.

5. Run the same app again. It succeeds this time.

acorn run -n mytest1 testimage:v1  
  •  WARNING:  This application would like to request the following runtime permissions.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

SERVICE   VERBS/ACTIONS   RESOURCES/API   SCOPE
web       *               *.foo.bar.com   project

? Do you want to allow this app to have these (POTENTIALLY DANGEROUS) permissions? Yes
mytest1
STATUS: ENDPOINTS[] HEALTHY[] UPTODATE[] 
STATUS: ENDPOINTS[] HEALTHY[0] UPTODATE[0] (container: web): pending
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[0] (container: web): not ready
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[0] (container: web): ContainerCreating
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] (container: web): ContainerCreating
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] (container: web): not ready
┌───────────────────────────────────────────────┐
| STATUS: ENDPOINTS[] HEALTHY[1] UPTODATE[1] OK |
└───────────────────────────────────────────────┘

┌───────────────────────────────────────────────┐
| STATUS: ENDPOINTS[] HEALTHY[1] UPTODATE[1] OK |
└───────────────────────────────────────────────┘

Expected Behavior:
App deployment should succeed for the first time (from step 4) after being prompted for permissions.