Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mutateImage: true causes fallback to "latest" which causes trust issues #390

Open
CrawX opened this issue Jun 15, 2022 · 0 comments
Open

mutateImage: true causes fallback to "latest" which causes trust issues #390

CrawX opened this issue Jun 15, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@CrawX
Copy link

CrawX commented Jun 15, 2022

What commit ID of Portieris did you experience the problem with?

7cc209a

What went wrong?

Deploying an image with mutateImage: true removes the image tag which causes the following behaviour

% kubectl -n mynamespace rollout restart deployment my-deployment
error: failed to patch: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
trust: policy denied the request: Deny "my-host/my-image@sha256:some-sha-256", failed to get content trust information: No valid trust data for latest

The image in the deployment is specified via a tag (not latest).

What should have happened differently?

kubectl rollout restart should be able to restart my deployment with the same image that was in use before

How can it be reproduced?

Creating a deployment referencing a valid tag (with a signature) and having a latest tag that doesn't have a signature and enabling mutateImage: true in the policy, then try to restart it.
Setting mutateImage: false makes it work but comes with the caveats noted in the README.

Any other relevant information

Sample ImagePolicy

apiVersion: portieris.cloud.ibm.com/v1
kind: ImagePolicy
metadata:
  name: default
  namespace: my-namespace
spec:
  repositories:
    - name: "my-host/*"
      policy:
        mutateImage: true
        trust:
          enabled: true
          trustServer: https://my-trustserver

Log output

│ portieris I0615 06:52:07.726466       1 controller.go:64] Processing admission request for UPDATE on my-deployment                                                                                                                                                                                                                                                                                                                 │
│ portieris I0615 06:52:07.726833       1 controller.go:176] Getting policy for container image: my-host/my-image@sha256:some-sha-256   namespace: my-namespace                                                                                                                                                             │
│ portieris I0615 06:52:07.734665       1 controller.go:261] ImagePullSecret my-namespace/registry-credentials found                                                                                                                                                                                                                                                                                                                        │
│ portieris I0615 06:52:07.734683       1 enforcer.go:95] policy.Trust {0xc0013512fc [] https://my-trustserver}                                                                                                                                                                                                                                                                                                            │
│ portieris I0615 06:52:08.232584       1 oauth.go:43] CA not provided at /etc/certs/ca.pem, will use default system pool                                                                                                                                                                                                                                                                                                                  │
│ portieris I0615 06:52:09.106698       1 trust.go:65] GetAllTargetMetadataByName returned err: No valid trust data for latest                                                                                                                                                                                                                                                                                                             │
│ portieris I0615 06:52:09.106731       1 responder.go:93] trust: policy denied the request: Deny "my-host/my-image@sha256:some-sha-256", failed to get content trust information: No valid trust data for latest                                                                                                          │
│ portieris I0615 06:52:09.106742       1 controller.go:125] Deny for images:  [my-host/my-image@sha256:some-sha-256]

To me, it looks like https://github.com/IBM/portieris/blob/main/pkg/verifier/trust/verifier.go#L103 is passing latest as a targetName which passes it to https://github.com/IBM/portieris/blob/main/pkg/verifier/trust/trust.go#L63 which causes GetAllTargetMetadataByName to fail because our latest image doesn't have a signature.
The tag is removed by https://github.com/IBM/portieris/blob/main/pkg/controller/multi/controller.go#L225 (also see #90). Having no tag defined causes https://github.com/IBM/portieris/blob/main/helpers/image/image.go#L65 to fallback to latest.

When disabling mutateImage, the image reference is not modified which fixes the problems but comes with the caveats noted in the README.
@sjhx sjhx added the bug Something isn't working label Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CrawX @sjhx