Skip to content

[V1.31.0] Error: checking signature : Docker references with both a tag and digest are currently not supported #8603

New issue
New issue
Closed
#8605
Closed
[V1.31.0] Error: checking signature : Docker references with both a tag and digest are currently not supported#8603
#8605
Assignees
kwilczynskimtrmachaircommander
Labels
kind/bugCategorizes issue or PR as related to a bug.
@Nemric

Description

@Nemric
Nemric
opened on Sep 13, 2024

What happened?

Hi,
I did the upgrade from K8S & Cri-O from v1.30.4 to v1.31.0
I don't know if this issue is really related to Cri-O but I can't install ingress-nginx because of this behavior taken from kubectl get events when applying https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/baremetal/deploy.yaml

pod/ingress-nginx-admission-create-s6x86         Error: checking signature of "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3": creating docker:// reference for "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3": Docker references with both a tag and digest are currently not supported

Crio logs looks like :
Sep 13 09:10:35 Marie crio[2048]: time="2024-09-13 09:10:35.088965171Z" level=info msg="Image status: &ImageStatusResponse{Image:&Image{Id:ce263a8653f9cdabdabaf36ae064b3e52b5240e6fac90663ad3b8f3a9bcef242,RepoTags:[],RepoDigests:[registry.k8s.io/ingress-nginx/kube-webhook-certgen@sha256:1b792367d0e1350ee869b15f851d9e4de17db10f33fadaef628db3e6457aa012 registry.k8s.io/ingress-nginx/kube-webhook-certgen@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3],Size_:55821706,Uid:&Int64Value{Value:65532,},Username:,Spec:&ImageSpec{Image:,Annotations:map[string]string{},UserSpecifiedImage:,RuntimeHandler:,},Pinned:false,},Info:map[string]string{},}" id=e2ce05ae-4b61-4ab6-b7f1-8b940feb277c name=/runtime.v1.ImageService/ImageStatus

and kubelet logs looks like :
Sep 13 09:10:35 Marie podman[2232]: E0913 09:10:35.103521 2247 pod_workers.go:1301] "Error syncing pod, skipping" err="failed to \"StartContainer\" for \"patch\" with CreateContainerError: \"checking signature of \\\"registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3\\\": creating docker:// reference for \\\"registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3\\\": Docker references with both a tag and digest are currently not supported\"" pod="ingress-nginx/ingress-nginx-admission-patch-d2hvn" podUID="ae27ff5e-a382-4a6b-a942-2ed1e4975914"

What did you expect to happen?

Ingress-nginx installation to run well like on v1.30.4

How can we reproduce it (as minimally and precisely as possible)?

On a K8S cluster v1.31.0 with cri-o, calico, openelb try to apply the yaml file depending of your environment from :
https://kubernetes.github.io/ingress-nginx/deploy/

Anything else we need to know?

My cluster is a baremetal one with Fedora CoreOS 40.20240825.3.0 nodes

CRI-O and Kubernetes version

$ crio --version
crio version 1.31.0
   GitCommit:      ac758bb6183ef69cd47c663eb916953217a97fb3
   GitCommitDate:  2024-09-09T22:22:50Z
   GitTreeState:   dirty
   BuildDate:      1970-01-01T00:00:00Z
   GoVersion:      go1.22.5
   Compiler:       gc
   Platform:       linux/amd64
   Linkmode:       static
   BuildTags:
     static
     netgo
     osusergo
     exclude_graphdriver_btrfs
     seccomp
     apparmor
     selinux
     exclude_graphdriver_devicemapper
   LDFlags:          unknown
   SeccompEnabled:   true
   AppArmorEnabled:  false
$ kubectl version --output=json
{
  "clientVersion": {
    "major": "1",
    "minor": "31",
    "gitVersion": "v1.31.0",
    "gitCommit": "9edcffcde5595e8a5b1a35f88c421764e575afce",
    "gitTreeState": "clean",
    "buildDate": "2024-08-13T07:37:34Z",
    "goVersion": "go1.22.5",
    "compiler": "gc",
    "platform": "linux/amd64"
  },
  "kustomizeVersion": "v5.4.2",
  "serverVersion": {
    "major": "1",
    "minor": "31",
    "gitVersion": "v1.31.0",
    "gitCommit": "9edcffcde5595e8a5b1a35f88c421764e575afce",
    "gitTreeState": "clean",
    "buildDate": "2024-08-13T07:28:49Z",
    "goVersion": "go1.22.5",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

OS version

# On Linux:
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="40.20240825.3.0 (CoreOS)"
ID=fedora
VERSION_ID=40
VERSION_CODENAME=""
PLATFORM_ID="platform:f40"
PRETTY_NAME="Fedora CoreOS 40.20240825.3.0"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:40"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=40
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=40
SUPPORT_END=2025-05-13
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='40.20240825.3.0'
$ uname -a
Linux Pierre 6.10.6-200.fc40.x86_64 containers/image#1 SMP PREEMPT_DYNAMIC Mon Aug 19 14:09:30 UTC 2024 x86_64 GNU/Linux

Additional environment details (AWS, VirtualBox, physical, etc.)

Physical K8S cluster

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions