Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

panic when an image name is formatted with unspecified tag or digest #508

Open
julianvmodesto opened this issue May 14, 2020 · 3 comments
Open
Assignees

Comments

@julianvmodesto
Copy link

Expected Behavior

I expect for a Pod with a specified image without any tag or digest specified to be validated, such as gcr.io/my-project/nginx (as opposed to gcr.io/my-project/nginx:latest).

Actual Behavior

I receive the following error:

$ kubectl apply -f app.yaml
Error from server (InternalError): error when creating "resolve.yaml": Internal error occurred: failed calling webhook "kritis-validation-hook.grafeas.io": Post https://kritis-validation-hook.default.svc:443/?timeout=30s: stream error: stream ID 1; INTERNAL_ERROR

This issue is similar to: #82

Steps to Reproduce the Problem

Apply an image without any tag or digest specified, such as gcr.io/my-project/nginx

Additional info

Panic:

kritis-validation-hook-685b4bc677-kjfdt kritis-server 2020/05/14 21:20:59 http2: panic serving 172.16.17.10:45338: runtime error: invalid memory address or nil pointer dereference
kritis-validation-hook-685b4bc677-kjfdt kritis-server goroutine 822 [running]:
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler.func1(0xc0000c8078, 0xc000527faf, 0xc00050c780)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5681 +0x16b
kritis-validation-hook-685b4bc677-kjfdt kritis-server panic(0x123a460, 0x212e600)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/runtime/panic.go:522 +0x1b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.(*PgpKey).Fingerprint(...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:69
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.KeyAndFingerprint(0x0, 0x0, 0x472552, 0x3, 0x409e13, 0xc000526560, 0x47214a, 0xc0001bf980)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:127 +0x10b
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.(*AttestorValidatingTransport).GetValidatedAttestations(0xc000107340, 0xc000599580, 0x19, 0xc00042e240, 0x14, 0x13c87e6, 0x11, 0x13be9c0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/validating_transport.go:44 +0xaf
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.findUnsatisfiedAuths(0xc00044e540, 0xc000599580, 0x19, 0xc000106840, 0x1, 0x1, 0x159f640, 0xc00044e390, 0x0, 0xc00026c320, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:149 +0x203
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.ReviewGAP(0xc00044e540, 0xc00063a190, 0x1, 0x1, 0xc00014c000, 0x1, 0x1, 0xc000236380, 0x159f640, 0xc00044e390, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:77 +0x24c
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewGenericAttestationPolicy(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc00014c000, 0x1, 0x1, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:318 +0x2b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewImages(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:270 +0x849
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewPod(0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:336 +0x1f1
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.handlePod(0xc000626390, 0xc000626480, 0xc000458a50, 0xc000598601, 0x18)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:138 +0x148
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.ReviewHandler(0x15aca00, 0xc0000c8078, 0xc00015ed00, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:213 +0x391
kritis-validation-hook-685b4bc677-kjfdt kritis-server main.main.func1(0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/cmd/kritis/admission/main.go:138 +0x48
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.HandlerFunc.ServeHTTP(0xc0003963b0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:1995 +0x44
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*ServeMux).ServeHTTP(0x21479a0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2375 +0x1d6
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.serverHandler.ServeHTTP(0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2774 +0xa8
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.initNPNRequest.ServeHTTP(0xc0004a2380, 0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:3323 +0x8d
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler(0xc00050c780, 0xc0000c8078, 0xc00015ed00, 0xc00034acc0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5688 +0x89
kritis-validation-hook-685b4bc677-kjfdt kritis-server created by net/http.(*http2serverConn).processHeaders
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5422 +0x4f4
@liuplgtm
Copy link

liuplgtm commented May 15, 2020

hi, @julianvmodesto
looks like there are internal checks that expect ":" in your input,
can you log the execution to check it?
I do not have the code to reproduce the issue.

please see the following call stack:

func isValidImageOnGCR(containerImage string) bool {

func ParseReference(s string, strict Strictness) (Reference, error) {

parts := strings.Split(name, tagDelim)

@julianvmodesto
Copy link
Author

Whoops, yeah I misread this error... it seems like I'm seeing the panic for a completely different reason related to a PGP policy.

@liuplgtm
Copy link

if it fails the check that the input should have ":", the PGP related fingerprint may not be generated, which leads to the nil dereference. Can you log the run to see if the check fails,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants