Cannot access ICRRVA although secret exists in namespace

[nbgooch]

What commit ID of Portieris did you experience the problem with?

1048ff4

What went wrong?

When deploying application I get

Error: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request: 
No credentials on client to call Vulnerability Advisor for IBM Cloud Container Registry with

What should have happened differently?

Application should have deployed successfully

How can it be reproduced?

1. Install portieris
2. Apply CRD

apiVersion: portieris.cloud.ibm.com/v1
kind: ClusterImagePolicy
metadata:
  name: block-vulnerable-images
spec:
   repositories:
    - name: "us.icr.io/*"
      policy:
        vulnerability:
          ICCRVA:
            enabled: true
           # I have tried both with and without accountID and does not seem to matter as we currently have no exceptions

3. ICR secret in namespace being deployed to
   
4. Deploy image from ICR

Any other relevant information

I am pretty sure this is not a bug, but instead a misconfiguration. Can you provide more information on how to access the ICCRVA using secrets? I think maybe since it is a .dockerconfigjson secret and not an IAM key, it cannot access.

[iainduncani]

Portieris will get the credentials to talk to Vulnerability Advisor from the imagePullSecrets attached to the Pod that is being deployed. The imagePullSecrets can be added directly to the pod being deployed but usually will come from a ServiceAccount, either the default one in your namespace or a different one that you reference in the pod definition so I think adding this service account to your namespace should do the trick:

apiVersion: v1
imagePullSecrets:
- name: all-icr-io
kind: ServiceAccount
metadata:
  name: default
  namespace: m-example