Description
Hello 👋
We are signing our docker images with the actions/attest-build-provenance@v1 Action.
We are trying to use the controller from this repository to verify images in our k8s clusters but we are having this issue when submitting new pods:
Error from server (BadRequest): error when creating "pod.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: github-policy: spec.template.spec.containers[0].image europe-docker.pkg.dev/project/company-prod/kube/mp/tiny-developer-tools@sha256:abd5c78061356d3f9b14475a1afd11c68baf6c89c03a036b442ef7d520556fcd no bundle found in referrers
Is the problem on my end ?
snippet of the workflow creating, pushing and signing the image
- name: Build Docker image
id: image-results
if: ${{ !inputs.dry-run }}
uses: docker/build-push-action@v6
with:
context: .
file: production/kubernetes/marketplace/containers/jre/Dockerfile
pull: true
push: true
platforms: linux/amd64
tags: ${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}:${{ inputs.version }}
build-args: |
MIRAKL_VERSION=${{ inputs.version }}
EXTRA_PACKAGES=${{ inputs.kubernetes-build-extra-packages }}
BASE_IMAGE=jre${{ steps.java-major.outputs.JAVA_MAJOR_VERSION }}
BASE_IMAGE_VERSION=stable
# attest image
- uses: actions/attest-build-provenance@v1
if: ${{ !inputs.dry-run }}
with:
subject-digest: ${{steps.image-results.outputs.digest}}
subject-name: '${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}'
push-to-registry: true
Thanks
probably related to this issue sigstore/policy-controller#1406