Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Misleading error message when trying to deploy an app with an unsigned image in a project that has ImageAllowRules. #1409

Closed
sangee2004 opened this issue Mar 29, 2023 · 4 comments
Closed

Misleading error message when trying to deploy an app with an unsigned image in a project that has ImageAllowRules. #1409

sangee2004 opened this issue Mar 29, 2023 · 4 comments
Assignees
@iwilltry42
Labels
kind/bug Something isn't working
Milestone
v0.8.0

Comments

@sangee2004
Copy link
Contributor

acorn version v0.6.0-93-gd9de8c30+d9de8c30

Steps to reproduce the problem:
Create ImageAllowRules:

kind: ImageAllowRules
metadata:
  name: testrules-project
  namespace: testp1
signatures:
  rules:
    - signedBy:
        anyOf:
          - |
            -----BEGIN PUBLIC KEY-----
            MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEn3TS2G8lKMA2B6CT9mWZ3H6Z4k/h
            5RvYIFIPNvExwsV40B9xi3v2jBF2ODSINhPxHJOAs+eHZW3AitIwthqOsQ==
            -----END PUBLIC KEY-----
        allOf: []
      annotations:
        match:
          tag: ok

Deploy an app with image that is not signed.
We are not allowed to deploy app as expected with following error message:

acorn run -n mytes3 docker.io/sangeetha/<image>:latest
  ✗  ERROR:  App.api.acorn.io "mytes3" is invalid: spec.image: Invalid value: "docker.io/sangeetha/<image>:latest": disallowed by imageAllowRules: error verifying image docker.io/sangeetha/mydeletecheck:latest against testp1/testrules-project.signatures.anyOf.*: error verifying image docker.io/sangeetha/mydeletecheck:latest against testp1/testrules-project.signatures.anyOf.0: no matching signatures: expected signature artifact index.docker.io/sangeetha/mydeletecheck:sha256-47a8d83df3aef36b48a15415549e6487ddb94075c77e0d7f33894685e8bcce4e.sig not found

Error message repeats the errors about signature twice , there is no information about missing tag "ok" and having the expected signature artifact info is confusing.
@sangee2004 sangee2004 added the kind/bug Something isn't working label Mar 29, 2023
@sangee2004 sangee2004 added this to the v0.7.0 milestone Mar 29, 2023
This was referenced Mar 30, 2023
Closed
Merged
@iwilltry42
Copy link
Contributor

That error message actually says, that there is not signature artifact at all for the target image:

expected signature artifact index.docker.io/sangeetha/mydeletecheck:sha256-47a8d83df3aef36b48a15415549e6487ddb94075c77e0d7f33894685e8bcce4e.sig not found

Since there's no signature artifact, there's nothing to unpack and check for annotations, so it doesn't even get to check the annotations.

@iwilltry42 iwilltry42 self-assigned this Apr 11, 2023
@cjellick cjellick modified the milestones: v0.7.0, v0.8.0 Apr 11, 2023
@iwilltry42
Copy link
Contributor

@sangee2004 is this still valid after the recent large changes to IARs?

@sangee2004
Copy link
Contributor Author

Blocked on - #1970

@iwilltry42 iwilltry42 self-assigned this Jul 25, 2023
@iwilltry42 iwilltry42 mentioned this issue Jul 26, 2023
Merged
7 tasks
iwilltry42 added a commit that referenced this issue Jul 28, 2023
@iwilltry42
fix: properly handle image-not-allowed errors for normal tags and aut…
e207b5e 
…oupgrade patterns (#1698 + #1970 + #1409) (#1984)

* fix: properly handle image-not-allowed errors for normal tags and autoupgrade patterns

Signed-off-by: Thorsten Klein <tk@thklein.io>

* change: more precise error message if image fails verification due to missing signature

Signed-off-by: Thorsten Klein <tk@thklein.io>

---------

Signed-off-by: Thorsten Klein <tk@thklein.io>
@sangee2004
Copy link
Contributor Author

Tested with acorn version v0.8.0-rc4+b6a95e8a

Error message presented to user when trying to deploy an app that he chooses not to allow is as expected.

acorn run -n hello3 sangeeth/myfirstacorn:v0.0.1
  ✗  ERROR:  GET https://index.docker.io/v2/sangeeth/myfirstacorn/manifests/v0.0.1: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:sangeeth/myfirstacorn Type:repository]]
sangeethahariharan@Sangeethas-MacBook-Pro example1 % acorn run -n hello3 sangeetha/myfirstacorn:v0.0.1
  •  WARNING:  This application would like to use the image 'sangeetha/myfirstacorn:v0.0.1'.
                 This image is not trusted by any image allow rules in this project.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? NO
  ✗  ERROR:  image <sangeetha/myfirstacorn:v0.0.1> is not allowed by any ImageAllowRule in this project

cloudnautique pushed a commit to cloudnautique/runtime that referenced this issue Sep 28, 2023
@iwilltry42 @cloudnautique
fix: properly handle image-not-allowed errors for normal tags and aut…
3fe2577 
…oupgrade patterns (acorn-io#1698 + acorn-io#1970 + acorn-io#1409) (acorn-io#1984)

* fix: properly handle image-not-allowed errors for normal tags and autoupgrade patterns

Signed-off-by: Thorsten Klein <tk@thklein.io>

* change: more precise error message if image fails verification due to missing signature

Signed-off-by: Thorsten Klein <tk@thklein.io>

---------

Signed-off-by: Thorsten Klein <tk@thklein.io>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@iwilltry42 iwilltry42

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
v0.8.0
Development

No branches or pull requests
3 participants
@cjellick @iwilltry42 @sangee2004