Image verification for namespaced policies #8212
Conversation
f3285a9 to
d104419
Compare
|
@harche feel free to ping here if you need assistance or review. |
8126007 to
8231d9f
Compare
8231d9f to
aa5a6c6
Compare
8853f7b to
6fae2e4
Compare
internal/storage/image.go
Outdated
| if err != nil && !errors.Is(err, storage.ErrImageUnknown) { | ||
| return fmt.Errorf("error retrieving image %s: %w", configImage, err) | ||
| } | ||
| if img != nil { |
There was a problem hiding this comment.
perhaps double check the length of img here.
It should >= 1 in this context.
There was a problem hiding this comment.
@rphillips img is of Image type,
Hence the check for if it is nil.
There was a problem hiding this comment.
Right, but the length of the array could be zero, and we are indexing into it.
There was a problem hiding this comment.
There was a problem hiding this comment.
I'm going to retract my comment here... I think the better approach is to check if err != nil if the alternative case, on line 542, and remove the if img != nil entirely.
There was a problem hiding this comment.
you can have err == nil and img == nil at the same time. It just means that, there was no error looking up in the image store but the image doesn't exist in that store.
6fae2e4 to
f0c7e69
Compare
f0c7e69 to
51c7108
Compare
51c7108 to
bbbc96d
Compare
|
/retest-required |
…mage Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
eac32f6 to
fbd73b3
Compare
|
/lgtm (had to update the CR test) |
|
/override ci/prow/ci-rhel-critest |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-rhel-critest In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest |
|
/override ci/prow/ci-rhel-critest |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-rhel-critest In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/retest |
|
/override ci/prow/ci-rhel-critest |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-rhel-critest In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override ci/prow/ci-rhel-critest |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-rhel-critest In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| imageID, err := storage.ParseStorageImageIDFromOutOfProcessData("2a03a6059f21e150ae84b0973863609494aad70f0a80eaeb64bddd8d92465812") | ||
| Expect(err).ToNot(HaveOccurred()) | ||
| otherImageID, err := storage.ParseStorageImageIDFromOutOfProcessData("3a03a6059f21e150ae84b0973863609494aad70f0a80eaeb64bddd8d92465812") | ||
| canonicalImageCandidate, err := reference.WithDigest(imageCandidate.Raw(), digest.Digest("sha256:340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221")) |
There was a problem hiding this comment.
This is not representative; PullImage returns a name@digest, this is name:tag@digest.
| start_crio | ||
| pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) | ||
| jq '.image.image = "'"$REDIS_IMAGEID"'"' \ | ||
| jq '.image.image = "'"$REDIS_IMAGEID"'" | .image.user_specified_image = "'"$REDIS_IMAGEDIGEST"'"' \ |
There was a problem hiding this comment.
In the three instances in this file, image.user_specified_image is already set (to name:tag) in container_config.json; is there a specific need to override that to a digest value?
Or is that just for consistency with the other tests that override both .image.image and .image.user_specified_image?
| select(.repoTags[0] == "quay.io/crio/hello-wasm:latest") | | ||
| "WASM_IMAGEID=" + .id + "\n" + | ||
| "WASM_IMAGEDIGEST=" + .repoDigests[0] + "\n" + | ||
| "REDIS_IMAGEREF=" + .repoDigests[0]' <<< "$json")" |
There was a problem hiding this comment.
Is this a copy&paste error?
|
|
||
| type ContainerOption func(*cri.ContainerConfig) error | ||
|
|
||
| func WithImage(image string) ContainerOption { |
There was a problem hiding this comment.
(I can’t see any users of this.)
| sourceCtx.AuthFilePath = imageAuthFile | ||
| } | ||
| ref, err = r.storageImageServer.PullImage(context.Background(), pauseImage, &ImageCopyOptions{ | ||
| ref, _, err = r.storageImageServer.PullImage(context.Background(), pauseImage, &ImageCopyOptions{ |
There was a problem hiding this comment.
This is probably good enough because the pause image is ~trusted, and because MCO sets up the signature policy in a way that doesn’t let users loosen it, IIRC.
Ideally the returned repo@digest would be used to determine img below, so that the code uses exactly the just-pulled image.
And then the first return value of PullImage becomes unused and can be dropped entirely, simplifying the code.
Perhaps the repo@digest return value should be a RegistryImageReference, not a raw reference.Canonical.
| // | ||
| // Arguments: | ||
| // - ctx: The context for controlling the function's execution | ||
| // - systemContext: server's system context for the given namespace |
There was a problem hiding this comment.
…, notably might have a customized SignaturePolicyPath.
| } | ||
| }() | ||
|
|
||
| if err := svc.checkSignature(ctx, systemContext, policyContext, imageName, imageID); err != nil { |
There was a problem hiding this comment.
(I’m not sure why splitting this function into two is valuable, but it also doesn’t hurt.)
| return nil | ||
| } | ||
|
|
||
| func (svc *imageService) checkSignature(ctx context.Context, sys *types.SystemContext, policyContext *signature.PolicyContext, imageName RegistryImageReference, imageID StorageImageID) error { |
There was a problem hiding this comment.
s/imageName/userSpecifiedImage/
| return nil, fmt.Errorf("get context for namespace: %w", err) | ||
| } | ||
|
|
||
| if systemCtx.SignaturePolicyPath != "" { |
There was a problem hiding this comment.
Hum, do we want/need this condition here? It basically hard-codes the MCO behavior that the per-namespace policy is never more restrictive than the system policy.
That is fine for us right now, but it might not be true forever.
Does this exist for the container restore RootFSImage{Name,Ref} uses?
I guess that, at the very least, the two conditions (here and in the container restore path) should document this assumption.
| // and it is meaningless to try to verify an image that isn't even an image | ||
| // (like a checkpointed file is). |
There was a problem hiding this comment.
I don’t think we get here in the container restore path where Image.Image is at tar file; we have already successfully found a c/storage imgResult at this point.
Cleanups on top of #8212
Cleanups on top of #8212, second part
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds support for verification using namespaced policies during container creation.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?