You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.
Enable IAR feature (acorn install --features image-allow-rules=true)
Add IAR that allows all images that are signed by a key say key1 - (in my santest3)
kubectl describe imageallowrules -n mm
Name: rule1
Namespace: mm
Labels: <none>
Annotations: <none>
API Version: api.acorn.io/v1
Images:
**
Kind: ImageAllowRule
Metadata:
Creation Timestamp: 2023-08-14T22:54:47Z
Generation: 1
Resource Version: 2002078
UID: 4682edc8-4971-49b1-8866-edb59fdfffc9-p
Signatures:
Rules:
Annotations:
Match:
Qatag: ok
Signed By:
All Of:
-----BEGIN PUBLIC KEY-----
******
-----END PUBLIC KEY-----
Events: <none>
Deploy app using image that is not signed .
User is presented to following error message:
% acorn run -n test4 ghcr.io/sangee2004/mynewcopytest:v0.0.1
✗ ERROR: App.api.acorn.io "test4" is invalid: spec.image: Forbidden: ghcr.io/sangee2004/mynewcopytest:v0.0.1 not allowed to run: signature verification failed: expected signature artifact ghcr.io/sangee2004/mynewcopytest:sha256-***.sig not found
Sign the app with a key different that key1 ( santest3 in my case)
% acorn image sign ghcr.io/sangee2004/mynewcopytest:v0.0.1 --key ~/santest2.key -a qatag=ok
• Signing Image ghcr.io/sangee2004/mynew
copytest:v0.0.1 (digest: ghcr.io/sangee2004/mynewcopytest@sha256:ea92031f6bba821d5ce23b5608f898296113ac027ebd8fb1d83bc7d630fbde29) using key /Users/sangeethahariharan/santest2.key
? Enter password for private key /Users/sangeethahariharan/santest2.key: ********
✔ Done: Pushed signature sha256:****
Deploy app using this image.
% acorn run -n test4 ghcr.io/sangee2004/mynewcopytest:v0.0.1
• WARNING: This application would like to use the image 'ghcr.io/sangee2004/mynewcopytest:v0.0.1'.
This image is not trusted by any image allow rules in this project.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? [Use arrows to move, type to filter]
> NO
yes (this tag only)
repository (all images in this repository)
registry (all images in this registry)
all (all images out there)
✗ ERROR: interrupt: image <ghcr.io/sangee2004/mynewcopytest:v0.0.1> is not allowed by any ImageAllowRule in this project
This time we are prompted for allowing the image.
Why are the app deployment failures in step 3 and 5 being handled differently? It is confusing to see 2 different behaviors.
The text was updated successfully, but these errors were encountered:
- clarify output of `acorn image sign`
- fix: properly handle images with missing required signature
- fix: DO NOT try to delete signature from remote registry
Tested with acorn version - v0.8.0-rc4-47-g80dd7169+80dd7169
Same behavior is seen when app deployment is not allowed because of being restricted by IAR in case of image not being signed at all or when image is signed with a key not satisfied by IAR.
%acorn run -n test4 ghcr.io/sangee2004/testlocal:v0.0.1
• WARNING: This application would like to use the image 'ghcr.io/sangee2004/testlocal:v0.0.1'.
This image is not trusted by any image allow rules in this project.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? NO
✗ ERROR: image <ghcr.io/sangee2004/testlocal:v0.0.1> is not allowed by any ImageAllowRule in this project
% acorn image sign ghcr.io/sangee2004/testlocal:v0.0.1 --key ~/santest2.key -a qatag=ok
• Signing Image ghcr.io/sangee2004/testlocal:v0.0.1 (digest: ghcr.io/sangee2004/testlocal@sha256:543ca38d7f6e7d57ce1fe5f79485b909988b4107a52c5af137af3d46d61b78b6) using key /Users/sangeethahariharan/santest2.key
? Enter password for private key /Users/sangeethahariharan/santest2.key: ********
✔ Created signature sha256:xxxxx
% acorn run -n test4 ghcr.io/sangee2004/testlocal:v0.0.1
• WARNING: This application would like to use the image 'ghcr.io/sangee2004/testlocal:v0.0.1'.
This image is not trusted by any image allow rules in this project.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? NO
✗ ERROR: image <ghcr.io/sangee2004/testlocal:v0.0.1> is not allowed by any ImageAllowRule in this project
acorn version -
v0.8.0-rc4+b6a95e8a
Steps to reproduce the problem:
acorn install --features image-allow-rules=true
)key1
- (in mysantest3
)User is presented to following error message:
key1
(santest3
in my case)This time we are prompted for allowing the image.
Why are the app deployment failures in step 3 and 5 being handled differently? It is confusing to see 2 different behaviors.
The text was updated successfully, but these errors were encountered: