panic when an image name is formatted with unspecified tag or digest

[julianvmodesto]

Expected Behavior

I expect for a Pod with a specified image without any tag or digest specified to be validated, such as gcr.io/my-project/nginx (as opposed to gcr.io/my-project/nginx:latest).

Actual Behavior

I receive the following error:

$ kubectl apply -f app.yaml
Error from server (InternalError): error when creating "resolve.yaml": Internal error occurred: failed calling webhook "kritis-validation-hook.grafeas.io": Post https://kritis-validation-hook.default.svc:443/?timeout=30s: stream error: stream ID 1; INTERNAL_ERROR

This issue is similar to: #82

Steps to Reproduce the Problem

Apply an image without any tag or digest specified, such as gcr.io/my-project/nginx

Additional info

Panic:

kritis-validation-hook-685b4bc677-kjfdt kritis-server 2020/05/14 21:20:59 http2: panic serving 172.16.17.10:45338: runtime error: invalid memory address or nil pointer dereference
kritis-validation-hook-685b4bc677-kjfdt kritis-server goroutine 822 [running]:
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler.func1(0xc0000c8078, 0xc000527faf, 0xc00050c780)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5681 +0x16b
kritis-validation-hook-685b4bc677-kjfdt kritis-server panic(0x123a460, 0x212e600)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/runtime/panic.go:522 +0x1b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.(*PgpKey).Fingerprint(...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:69
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.KeyAndFingerprint(0x0, 0x0, 0x472552, 0x3, 0x409e13, 0xc000526560, 0x47214a, 0xc0001bf980)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:127 +0x10b
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.(*AttestorValidatingTransport).GetValidatedAttestations(0xc000107340, 0xc000599580, 0x19, 0xc00042e240, 0x14, 0x13c87e6, 0x11, 0x13be9c0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/validating_transport.go:44 +0xaf
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.findUnsatisfiedAuths(0xc00044e540, 0xc000599580, 0x19, 0xc000106840, 0x1, 0x1, 0x159f640, 0xc00044e390, 0x0, 0xc00026c320, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:149 +0x203
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.ReviewGAP(0xc00044e540, 0xc00063a190, 0x1, 0x1, 0xc00014c000, 0x1, 0x1, 0xc000236380, 0x159f640, 0xc00044e390, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:77 +0x24c
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewGenericAttestationPolicy(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc00014c000, 0x1, 0x1, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:318 +0x2b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewImages(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:270 +0x849
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewPod(0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:336 +0x1f1
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.handlePod(0xc000626390, 0xc000626480, 0xc000458a50, 0xc000598601, 0x18)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:138 +0x148
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.ReviewHandler(0x15aca00, 0xc0000c8078, 0xc00015ed00, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:213 +0x391
kritis-validation-hook-685b4bc677-kjfdt kritis-server main.main.func1(0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/cmd/kritis/admission/main.go:138 +0x48
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.HandlerFunc.ServeHTTP(0xc0003963b0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:1995 +0x44
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*ServeMux).ServeHTTP(0x21479a0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2375 +0x1d6
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.serverHandler.ServeHTTP(0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2774 +0xa8
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.initNPNRequest.ServeHTTP(0xc0004a2380, 0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:3323 +0x8d
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler(0xc00050c780, 0xc0000c8078, 0xc00015ed00, 0xc00034acc0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5688 +0x89
kritis-validation-hook-685b4bc677-kjfdt kritis-server created by net/http.(*http2serverConn).processHeaders
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5422 +0x4f4

[liuplgtm]

hi, @julianvmodesto
looks like there are internal checks that expect ":" in your input,
can you log the execution to check it?
I do not have the code to reproduce the issue.

please see the following call stack:

kritis/pkg/kritis/metadata/containeranalysis/containeranalysis.go

Line 171 in a50de65

func isValidImageOnGCR(containerImage string) bool {

kritis/vendor/github.com/google/go-containerregistry/pkg/name/ref.go

Line 41 in a50de65

func ParseReference(s string, strict Strictness) (Reference, error) {

kritis/vendor/github.com/google/go-containerregistry/pkg/name/tag.go

Line 79 in a50de65

parts := strings.Split(name, tagDelim)

[julianvmodesto]

Whoops, yeah I misread this error... it seems like I'm seeing the panic for a completely different reason related to a PGP policy.

[liuplgtm]

if it fails the check that the input should have ":", the PGP related fingerprint may not be generated, which leads to the nil dereference. Can you log the run to see if the check fails,