-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically allow images for allowed extensions to be pulled #4926
Comments
|
Then the names should not be added.
Yes, the images are added without tags to the Allowed Images list. The current proxy mechanism for filtering doesn't allow us to implement filtering by tag because it requires access to the actual data (manifests) and not just the URLs. Current filtering just adds redirects based on the URL.
I would hope not, but we can point it out in the documentation. If they trust the image to be allowed as an extension (where they can execute arbitrary code on the host), why would they want to block the user from running the image as a container? |
Just to be explicit: The allowed extensions would be added ephemerally when writing the nginx config file. They would not be added to the Allowed Images preference setting, so would not show up in the dialog, and would not be written to |
Imagine an extension, Completely separate: extensions can run containers, using arbitrary images (not just the extension image). Or they can come with a compose file, which again supports arbitrary images. What should happen in that case? |
Yes, but there is no way around this. There are limits as to what you can do in filtering pull requests. The mechanism is to avoid accidental policy violations. You can't stop a malicious user this way, who could always download an images as a tarball to the host and install it with
The images would still be subject to the Allowed Images list. This actually illustrates one benefit of the Allowed Images list: it prevents accidental indirect installation of images from unapproved locations. Also helps with helm charts, that might request an image from a source you did not anticipate. |
I don't know if this has been implemented: every allowed extension must internally also be added to the allowed images list, if allowed image checking has been enabled as well.
Originally posted by @jandubois in #4655 (comment)
The text was updated successfully, but these errors were encountered: