Revert "change: init restricted-api-groups"

This reverts commit 469b636.

Signed-off-by: Thorsten Klein <tk@thklein.io>

.vscode/launch.json

@@ -23,7 +23,7 @@
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceRoot}",
-            "args": ["image", "sign", "--key", "/home/thklein/.ssh/id_rsa", "-a", "tag=ok", "harbor.thklein.dev/public/acorn@sha256:ff11aa8e01da1a0b7c44cb357dfa0f0332053070ed7325af3bec89cb9bbcdb3c"],
+            "args": ["run", "${input:acornfile}"],
             "console": "integratedTerminal",
         },
         {

docs/docs/100-reference/01-command-line/acorn_install.md

@@ -67,7 +67,6 @@ acorn install
       --record-builds                                   Keep a record of each acorn build that happens
       --registry-cpu string                             The CPU to allocate to the registry in the format of <req>:<limit> (example 200m:1000m)
       --registry-memory string                          The memory to allocate to the registry in the format of <req>:<limit> (example 256Mi:1Gi)
-      --restricted-api-group strings                    Restrict access to the specified API groups via Image Signatures (example aws.acorn.io=acorn://thisisus)
       --service-lb-annotation strings                   Annotation to add to the service of type LoadBalancer. Defaults to empty. (example key=value)
       --set-pod-security-enforce-profile                Set the PodSecurity profile on created namespaces (default true)
       --skip-checks                                     Bypass installation checks

pkg/appdefinition/lookup.go

@@ -5,7 +5,6 @@ import (
 
 	v1 "github.com/acorn-io/runtime/pkg/apis/internal.acorn.io/v1"
 	"github.com/acorn-io/z"
-	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/api/equality"
 )
 
@@ -89,8 +88,6 @@ func findAcornImage(imageData v1.ImagesData, autoUpgrade *bool, image string, ac
 		return image, image != ""
 	}
 
-	logrus.Infof("Looking for image [%s] in image data", image)
-
 	if acornBuild == nil {
 		if image != "" {
 			for _, build := range imageData.Builds {
@@ -131,66 +128,6 @@ func findAcornImage(imageData v1.ImagesData, autoUpgrade *bool, image string, ac
 	return "", false
 }
 
-func GetImageNameForServiceName(svcName string, appSpec *v1.AppSpec, imageData v1.ImagesData) (result string, found bool) {
-	var (
-		parts         = strings.Split(svcName, ".")
-		containerName string
-		sidecarName   string
-	)
-
-	if len(parts) > 2 {
-		return "", false
-	} else if len(parts) == 2 {
-		containerName, sidecarName = parts[0], parts[1]
-	} else {
-		containerName = svcName
-	}
-
-	if serviceDef, ok := appSpec.Services[svcName]; ok {
-		return findAcornImage(imageData, serviceDef.AutoUpgrade, serviceDef.Image, serviceDef.Build)
-	} else if acornDef, ok := appSpec.Acorns[svcName]; ok {
-		return findAcornImage(imageData, acornDef.AutoUpgrade, acornDef.Image, acornDef.Build)
-	} else if containerDef, ok := appSpec.Containers[containerName]; ok {
-		if sidecarName != "" {
-			containerDef, ok = containerDef.Sidecars[sidecarName]
-			if !ok {
-				return "", false
-			}
-		}
-		result, ok := findContainerImage(imageData, containerDef.Image, containerDef.Build)
-		// Only fall back to this check if there are no build records available, or this was a old build
-		// that didn't record build with a context dir properly
-		if !ok && notDirectReference(containerDef, imageData) {
-			return findImageInImageData(imageData, svcName)
-		}
-		return result, ok
-	} else if jobDef, ok := appSpec.Jobs[containerName]; ok {
-		if sidecarName != "" {
-			jobDef, ok = jobDef.Sidecars[sidecarName]
-			if !ok {
-				return "", false
-			}
-		}
-		result, ok := findContainerImage(imageData, jobDef.Image, jobDef.Build)
-		// Only fall back to this check if there are no build records available, or this was a old build
-		// that didn't record build with a context dir properly
-		if !ok && notDirectReference(jobDef, imageData) {
-			return findImageInImageData(imageData, svcName)
-		}
-		return result, ok
-	} else if imageDef, ok := appSpec.Images[svcName]; ok {
-		if imageDef.Build != nil {
-			return findContainerImage(imageData, "", imageDef.Build)
-		} else if imageDef.AcornBuild != nil {
-			return findContainerImage(imageData, "", imageDef.Build)
-		} else {
-			return findImageInImageData(imageData, svcName)
-		}
-	}
-
-	return "", false
-}
-
 func GetImageReferenceForServiceName(svcName string, appSpec *v1.AppSpec, imageData v1.ImagesData) (result string, found bool) {
 	var (
 		parts         = strings.Split(svcName, ".")

pkg/cli/install.go

@@ -94,8 +94,6 @@ func (i *Install) Run(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid --api-server-pod-annotations: %w", err)
 	}
 
-	i.Config.RestrictedAPIGroups = i.RestrictedAPIGroups
-
 	opts := &install.Options{
 		SkipChecks:                          i.SkipChecks,
 		Quiet:                               i.Quiet,

pkg/config/config.go

@@ -147,11 +147,6 @@ func complete(ctx context.Context, c *apiv1.Config, getter kclient.Reader, inclu
 			}
 		}
 	}
-
-	if c.RestrictedAPIGroups == nil {
-		c.RestrictedAPIGroups = profile.RestrictedAPIGroups
-	}
-
 	if c.CertManagerIssuer == nil {
 		c.CertManagerIssuer = profile.CertManagerIssuer
 	}
@@ -389,9 +384,6 @@ func merge(oldConfig, newConfig *apiv1.Config) *apiv1.Config {
 	if newConfig.Features != nil {
 		mergedConfig.Features = newConfig.Features
 	}
-	if newConfig.RestrictedAPIGroups != nil {
-		mergedConfig.RestrictedAPIGroups = newConfig.RestrictedAPIGroups
-	}
 
 	if len(newConfig.PropagateProjectAnnotations) > 0 && newConfig.PropagateProjectAnnotations[0] == "" {
 		mergedConfig.PropagateProjectAnnotations = nil

pkg/controller/permissions/permissions_check.go

@@ -9,14 +9,9 @@ import (
 	"github.com/acorn-io/baaah/pkg/uncached"
 	apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
 	v1 "github.com/acorn-io/runtime/pkg/apis/internal.acorn.io/v1"
-	"github.com/acorn-io/runtime/pkg/config"
-	"github.com/acorn-io/runtime/pkg/imageallowrules"
-	"github.com/acorn-io/runtime/pkg/images"
 	"github.com/acorn-io/runtime/pkg/tags"
 	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 func CopyPromoteStagedAppImage(req router.Request, resp router.Response) error {
@@ -72,84 +67,6 @@ func CheckImagePermissions(req router.Request, resp router.Response) error {
 			details.AppImage.Digest, appImage.Digest)
 	}
 
-	cfg, err := config.Get(req.Ctx, req.Client)
-	if err != nil {
-		return err
-	}
-
-	if len(cfg.RestrictedAPIGroups) > 0 {
-		logrus.Infof("checking %d restricted API groups for image [%s]", len(cfg.RestrictedAPIGroups), appImage.ID)
-		requestedAPIGroups := map[string]sets.Set[string]{}
-
-		ref, err := images.GetImageReference(req.Ctx, req.Client, app.Namespace, imageName)
-		if err != nil {
-			return err
-		}
-
-		parentRef := ref.Context().Digest(appImage.Digest).String()
-		imgsList := []string{parentRef}
-		for _, perm := range details.Permissions {
-			for _, rule := range perm.Rules {
-				for _, g := range rule.APIGroups {
-					if _, ok := requestedAPIGroups[g]; !ok {
-						requestedAPIGroups[g] = sets.New[string](parentRef)
-					}
-				}
-			}
-		}
-
-		for _, nested := range details.NestedImages {
-			ref, err := images.GetImageReference(req.Ctx, req.Client, app.Namespace, nested.ImageRef)
-			if err != nil {
-				return err
-			}
-			nestedRef := ref.Context().Digest(nested.Digest).String()
-			imgsList = append(imgsList, nestedRef)
-			for _, perm := range nested.Permissions {
-				for _, rule := range perm.Rules {
-					for _, g := range rule.APIGroups {
-						if _, ok := requestedAPIGroups[g]; !ok {
-							requestedAPIGroups[g] = sets.New[string](nestedRef)
-						} else {
-							requestedAPIGroups[g].Insert(nestedRef)
-						}
-					}
-				}
-			}
-		}
-		iars := []v1.ImageAllowRuleInstance{
-			{
-				ObjectMeta: metav1.ObjectMeta{Name: "RAGCheck"},
-				Images:     imgsList,
-				Signatures: v1.ImageAllowRuleSignatures{Rules: []v1.SignatureRules{{SignedBy: v1.SignedBy{AllOf: []string{}}}}},
-			},
-		}
-		setAuthority := func(iars []v1.ImageAllowRuleInstance, authority string) {
-			for i := range iars {
-				iars[i].Signatures.Rules[0].SignedBy.AllOf = []string{authority}
-			}
-		}
-		for restrictedGroup, requiredAuthority := range cfg.RestrictedAPIGroups {
-			if imgIDs, ok := requestedAPIGroups[restrictedGroup]; ok {
-				logrus.Infof("restricted API group [%s] used by images [%s]: Checking parent image %s against %s", restrictedGroup, sets.List(imgIDs), parentRef, requiredAuthority)
-				setAuthority(iars, requiredAuthority)
-				if err := imageallowrules.CheckImageAgainstRules(req.Ctx, req.Client, app.Namespace, parentRef, details.AppImage.Digest, iars, nil); err == nil {
-					logrus.Infof("Parent image [%s] authorized to use [%s] by [%s]", parentRef, restrictedGroup, requiredAuthority)
-					continue
-				}
-				logrus.Infof("Parent image [%s] not authorized to use [%s] by [%s]: Checking individual images...", parentRef, restrictedGroup, requiredAuthority)
-				for _, imageID := range sets.List[string](imgIDs) {
-					logrus.Infof("restricted API group [%s] used by image [%s]: Checking against %s", restrictedGroup, imageID, requiredAuthority)
-					if err := imageallowrules.CheckImageAgainstRules(req.Ctx, req.Client, app.Namespace, parentRef, details.AppImage.Digest, iars, nil); err != nil {
-						return fmt.Errorf("image [%s] not authorized to use [%s] by [%s]", imageID, restrictedGroup, requiredAuthority)
-					}
-				}
-			} else {
-				logrus.Infof("restricted API group [%s] not used by image [%s]", restrictedGroup, parentRef)
-			}
-		}
-	}
-
 	missing, _ := v1.GrantsAll(app.Namespace, details.GetPermissions(), app.Spec.GetPermissions())
 	app.Status.Staged.PermissionsObservedGeneration = app.Generation
 	app.Status.Staged.PermissionsChecked = true

pkg/cosign/keys.go

@@ -18,7 +18,6 @@ import (
 	"github.com/secure-systems-lab/go-securesystemslib/encrypted"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -144,10 +143,6 @@ func ImportKeyPair(keyPath string, pass []byte) (*KeysBytes, error) {
 
 	var signer crypto.Signer
 
-	if pass != nil && pemBlock.Type != "OPENSSH PRIVATE KEY" {
-		return nil, fmt.Errorf("decryption of protected keys is only supported for OPENSSH and COSIGN Keys")
-	}
-
 	switch pemBlock.Type {
 	case cosign.RSAPrivateKeyPemType:
 		rsaPk, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
@@ -177,7 +172,6 @@ func ImportKeyPair(keyPath string, pass []byte) (*KeysBytes, error) {
 			return nil, err
 		}
 	case "OPENSSH PRIVATE KEY":
-		logrus.Infof("Parsing OpenSSH private key")
 		var (
 			err error
 			key crypto.PrivateKey

pkg/imageallowrules/imageallowrules.go

@@ -38,23 +38,13 @@ func (e *ErrImageNotAllowed) Is(target error) bool {
 
 // CheckImageAllowed checks if the image is allowed by the ImageAllowRules on cluster and project level
 func CheckImageAllowed(ctx context.Context, c client.Reader, namespace, image, digest string, opts ...remote.Option) error {
-	cfg, err := config.Get(ctx, c)
-	if err != nil {
-		return err
-	}
-
-	// IAR not enabled? Allow all images.
-	if cfg.Features == nil || !cfg.Features[profiles.FeatureImageAllowRules] {
-		return nil
-	}
-
 	// Get ImageAllowRules in the same namespace as the AppInstance
 	rulesList := &v1.ImageAllowRuleInstanceList{}
 	if err := c.List(ctx, rulesList, &client.ListOptions{Namespace: namespace}); err != nil {
 		return fmt.Errorf("failed to list ImageAllowRules: %w", err)
 	}
 
-	opts, err = images.GetAuthenticationRemoteOptions(ctx, c, namespace, opts...)
+	opts, err := images.GetAuthenticationRemoteOptions(ctx, c, namespace, opts...)
 	if err != nil {
 		return err
 	}
@@ -73,6 +63,16 @@ func CheckImageAllowed(ctx context.Context, c client.Reader, namespace, image, d
 // - ALLOWED if strict mode is disabled (the default)
 // ! Only one single rule has to allow the image for this to pass !
 func CheckImageAgainstRules(ctx context.Context, c client.Reader, namespace string, image string, digest string, imageAllowRules []v1.ImageAllowRuleInstance, keychain authn.Keychain, opts ...remote.Option) error {
+	cfg, err := config.Get(ctx, c)
+	if err != nil {
+		return err
+	}
+
+	// IAR not enabled? Allow all images.
+	if cfg.Features == nil || !cfg.Features[profiles.FeatureImageAllowRules] {
+		return nil
+	}
+
 	// No rules? Deny all images.
 	if len(imageAllowRules) == 0 {
 		return &ErrImageNotAllowed{Image: image}

pkg/imagedetails/imagedetails.go

@@ -178,9 +178,8 @@ func prependServiceName(serviceName string, perms []v1.Permissions) (result []v1
 	return
 }
 
-func toNestedImage(serviceName string, details *apiv1.ImageDetails, imageName string) (result []apiv1.NestedImage) {
+func toNestedImage(serviceName string, details *apiv1.ImageDetails) (result []apiv1.NestedImage) {
 	result = append(result, apiv1.NestedImage{
-		ImageRef:        imageName,
 		Name:            details.AppImage.Name,
 		Digest:          details.AppImage.Digest,
 		SignatureDigest: details.SignatureDigest,
@@ -190,7 +189,6 @@ func toNestedImage(serviceName string, details *apiv1.ImageDetails, imageName st
 
 	for _, nested := range details.NestedImages {
 		result = append(result, apiv1.NestedImage{
-			ImageRef:        nested.ImageRef,
 			Name:            nested.Name,
 			Digest:          nested.Digest,
 			SignatureDigest: nested.SignatureDigest,
@@ -227,7 +225,7 @@ func getNestedAcorns(ctx context.Context, c kclient.Client, namespace, image str
 			return nil, err
 		}
 
-		result = append(result, toNestedImage(acornName, details, acorn.Image)...)
+		result = append(result, toNestedImage(acornName, details)...)
 	}
 
 	return
@@ -261,7 +259,7 @@ func getNestedServices(ctx context.Context, c kclient.Client, namespace, image s
 			return nil, err
 		}
 
-		result = append(result, toNestedImage(serviceName, details, service.Image)...)
+		result = append(result, toNestedImage(serviceName, details)...)
 	}
 
 	return