Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

IAR - Inconsistent behavior when deploying apps that do not satisfy IAR. #2064

Closed
sangee2004 opened this issue Aug 14, 2023 · 1 comment
Closed

IAR - Inconsistent behavior when deploying apps that do not satisfy IAR. #2064

sangee2004 opened this issue Aug 14, 2023 · 1 comment
Assignees
@iwilltry42
Labels
kind/bug Something isn't working
Milestone
v0.8.0

Comments

@sangee2004
Copy link
Contributor

sangee2004 commented Aug 14, 2023
edited by iwilltry42

acorn version - v0.8.0-rc4+b6a95e8a

Steps to reproduce the problem:

  1. Enable IAR feature (acorn install --features image-allow-rules=true)
  2. Add IAR that allows all images that are signed by a key say key1 - (in my santest3)
kubectl describe imageallowrules -n mm                                     
Name:         rule1
Namespace:    mm
Labels:       <none>
Annotations:  <none>
API Version:  api.acorn.io/v1
Images:
  **
Kind:  ImageAllowRule
Metadata:
  Creation Timestamp:  2023-08-14T22:54:47Z
  Generation:          1
  Resource Version:    2002078
  UID:                 4682edc8-4971-49b1-8866-edb59fdfffc9-p
Signatures:
  Rules:
    Annotations:
      Match:
        Qatag:  ok
    Signed By:
      All Of:
        -----BEGIN PUBLIC KEY-----
******
-----END PUBLIC KEY-----

Events:  <none>
  1. Deploy app using image that is not signed .
    User is presented to following error message:
 % acorn run -n test4 ghcr.io/sangee2004/mynewcopytest:v0.0.1                              
  ✗  ERROR:  App.api.acorn.io "test4" is invalid: spec.image: Forbidden: ghcr.io/sangee2004/mynewcopytest:v0.0.1 not allowed to run: signature verification failed: expected signature artifact ghcr.io/sangee2004/mynewcopytest:sha256-***.sig not found
  1. Sign the app with a key different that key1 ( santest3 in my case)
% acorn image sign ghcr.io/sangee2004/mynewcopytest:v0.0.1 --key ~/santest2.key -a qatag=ok
  •  Signing Image ghcr.io/sangee2004/mynew
copytest:v0.0.1 (digest: ghcr.io/sangee2004/mynewcopytest@sha256:ea92031f6bba821d5ce23b5608f898296113ac027ebd8fb1d83bc7d630fbde29) using key /Users/sangeethahariharan/santest2.key
? Enter password for private key /Users/sangeethahariharan/santest2.key: ********
  ✔  Done: Pushed signature sha256:****
  1. Deploy app using this image.
% acorn run -n test4 ghcr.io/sangee2004/mynewcopytest:v0.0.1                               
  •  WARNING:  This application would like to use the image 'ghcr.io/sangee2004/mynewcopytest:v0.0.1'.
                 This image is not trusted by any image allow rules in this project.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image?  [Use arrows to move, type to filter]
> NO
  yes (this tag only)
  repository (all images in this repository)
  registry (all images in this registry)
  all (all images out there)
  ✗  ERROR:  interrupt: image <ghcr.io/sangee2004/mynewcopytest:v0.0.1> is not allowed by any ImageAllowRule in this project

This time we are prompted for allowing the image.

Why are the app deployment failures in step 3 and 5 being handled differently? It is confusing to see 2 different behaviors.
@sangee2004 sangee2004 added the kind/bug Something isn't working label Aug 14, 2023
@sangee2004 sangee2004 added this to the v0.8.0 milestone Aug 14, 2023
@iwilltry42 iwilltry42 mentioned this issue Aug 16, 2023
Merged
7 tasks
iwilltry42 added a commit that referenced this issue Aug 21, 2023
@iwilltry42
change: Improve Usage of ImageAllowRules (#2067 + #2064 + #2069) (#2074)
2406705 
- clarify output of  `acorn image sign`
- fix: properly handle images with missing required signature
- fix: DO NOT try to delete signature from remote registry
@sangee2004 sangee2004 mentioned this issue Aug 21, 2023
Closed
@sangee2004
Copy link
Contributor Author

Tested with acorn version - v0.8.0-rc4-47-g80dd7169+80dd7169

Same behavior is seen when app deployment is not allowed because of being restricted by IAR in case of image not being signed at all or when image is signed with a key not satisfied by IAR.

%acorn run -n test4 ghcr.io/sangee2004/testlocal:v0.0.1  
  •  WARNING:  This application would like to use the image 'ghcr.io/sangee2004/testlocal:v0.0.1'.
                 This image is not trusted by any image allow rules in this project.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? NO
  ✗  ERROR:  image <ghcr.io/sangee2004/testlocal:v0.0.1> is not allowed by any ImageAllowRule in this project

% acorn image sign  ghcr.io/sangee2004/testlocal:v0.0.1 --key ~/santest2.key -a qatag=ok
  •  Signing Image ghcr.io/sangee2004/testlocal:v0.0.1 (digest: ghcr.io/sangee2004/testlocal@sha256:543ca38d7f6e7d57ce1fe5f79485b909988b4107a52c5af137af3d46d61b78b6) using key /Users/sangeethahariharan/santest2.key
? Enter password for private key /Users/sangeethahariharan/santest2.key: ********
  ✔  Created signature sha256:xxxxx

 % acorn run -n test4 ghcr.io/sangee2004/testlocal:v0.0.1                                
  •  WARNING:  This application would like to use the image 'ghcr.io/sangee2004/testlocal:v0.0.1'.
                 This image is not trusted by any image allow rules in this project.
                 This could be VERY DANGEROUS to the cluster if you do not trust this
                 application. If you are unsure say no.

? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? NO
  ✗  ERROR:  image <ghcr.io/sangee2004/testlocal:v0.0.1> is not allowed by any ImageAllowRule in this project

cloudnautique pushed a commit to cloudnautique/runtime that referenced this issue Sep 28, 2023
@iwilltry42 @cloudnautique
change: Improve Usage of ImageAllowRules (acorn-io#2067 + acorn-io#2064
affee3a 
… + acorn-io#2069) (acorn-io#2074)

- clarify output of  `acorn image sign`
- fix: properly handle images with missing required signature
- fix: DO NOT try to delete signature from remote registry
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@iwilltry42 iwilltry42

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
v0.8.0
Development

No branches or pull requests
2 participants
@iwilltry42 @sangee2004