-
Notifications
You must be signed in to change notification settings - Fork 996
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
genpolicy: support insecure registries and hermetic environments #9008
Comments
Looking at the configuration options of oci-distribution, this use case seems expected - we could do diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
index 6009dad6e..2ac31b7e9 100644
--- a/src/tools/genpolicy/src/registry.rs
+++ b/src/tools/genpolicy/src/registry.rs
@@ -13,7 +13,7 @@ use anyhow::{anyhow, bail, Result};
use docker_credential::{CredentialRetrievalError, DockerCredential};
use log::warn;
use log::{debug, info, LevelFilter};
-use oci_distribution::client::{linux_amd64_resolver, ClientConfig};
+use oci_distribution::client::{linux_amd64_resolver, ClientConfig, ClientProtocol};
use oci_distribution::{manifest, secrets::RegistryAuth, Client, Reference};
use serde::{Deserialize, Serialize};
use sha2::{digest::typenum::Unsigned, digest::OutputSizeUser, Sha256};
@@ -62,13 +62,14 @@ pub struct ImageLayer {
}
impl Container {
- pub async fn new(use_cached_files: bool, image: &str) -> Result<Self> {
+ pub async fn new(use_cached_files: bool, insecure_registries: Vec<String>, image: &str) -> Result<Self> {
info!("============================================");
info!("Pulling manifest and config for {:?}", image);
let reference: Reference = image.to_string().parse().unwrap();
let auth = build_auth(&reference);
let mut client = Client::new(ClientConfig {
+ protocol: ClientProtocol::HttpsExcept(insecure_registries),
platform_resolver: Some(Box::new(linux_amd64_resolver)),
..Default::default()
}); However, this additional argument would need to be added to quite a few intermediate function calls. Maybe we could pass a config struct with both |
I found another source of problems when using |
I agree. We're in the process of adding CI test coverage for genpolicy in the main branch - e.g., see #8922. As we work through these tests, we uncover and address these kinds of dark corners. |
genpolicy is a handy tool to use in CI systems, to prepare workloads before applying them to the Kubernetes API server. However, many modern build systems like Bazel or Nix restrict network access, and rightfully so, so any registry interaction must take place on localhost. Configuring certificates for localhost is tricky at best, and since there are no privacy concerns for localhost traffic, genpolicy should allow to contact some registries insecurely. As this is a runtime environment detail, not a target environment detail, configuring insecure registries does not belong into the JSON settings, so it's implemented as command line flags. Fixes: kata-containers#9008 Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
genpolicy is a handy tool to use in CI systems, to prepare workloads before applying them to the Kubernetes API server. However, many modern build systems like Bazel or Nix restrict network access, and rightfully so, so any registry interaction must take place on localhost. Configuring certificates for localhost is tricky at best, and since there are no privacy concerns for localhost traffic, genpolicy should allow to contact some registries insecurely. As this is a runtime environment detail, not a target environment detail, configuring insecure registries does not belong into the JSON settings, so it's implemented as command line flags. Fixes: kata-containers#9008 Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
genpolicy is a handy tool to use in CI systems, to prepare workloads before applying them to the Kubernetes API server. However, many modern build systems like Bazel or Nix restrict network access, and rightfully so, so any registry interaction must take place on localhost. Configuring certificates for localhost is tricky at best, and since there are no privacy concerns for localhost traffic, genpolicy should allow to contact some registries insecurely. As this is a runtime environment detail, not a target environment detail, configuring insecure registries does not belong into the JSON settings, so it's implemented as command line flags. Fixes: kata-containers#9008 Signed-off-by: Markus Rudy <webmaster@burgerdev.de>
Which feature do you think can be improved?
Policy generation with
genpolicy
. Specifically, image pulling for dm-verity calculation.How can it be improved?
Add support for insecure registries, at least local ones. Many build systems restrict network access for security and reproducibility, and hermetic build rules are encouraged (e.g. Bazel, Nix). Local insecure registries would be an option for this use case, and they are supported by OCI tooling like docker, podman, crane, skopeo.
Additional Information
What I'm trying to do:
Error message:
Before raising this enhancement request
Have you looked at the limitations document?
Yes, I did not find a relevant limitation.
The text was updated successfully, but these errors were encountered: