Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to get trust policy: no policy found for reference when scope matching with image:tag #1460

Open
1 task
susanshi opened this issue May 9, 2024 · 3 comments
Open
1 task

failed to get trust policy: no policy found for reference when scope matching with image:tag #1460

susanshi opened this issue May 9, 2024 · 3 comments
Assignees
@akashsinghal
Labels
bug Something isn't working triage Needs investigation

Comments

@susanshi
Copy link
Collaborator

susanshi commented May 9, 2024

What happened in your environment?

Following this doc, https://github.com/deislabs/ratify-web/blob/e0d548665d273502be477559d10fc02911348c51/docs/plugins/Verifier/cosign.md#trust-policy
image

I specified a image:tab as the scope of the cosign trust policy, however since the image to deploy has mutated to the digest, verifier was not able to find a trust policy that matches image:tag.

Error: Detail: failed to get trust policy: no policy found for reference

What did you expect to happen?

No response

What version of Kubernetes are you running?

No response

What version of Ratify are you running?

No response

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this bug fix?

  • Yes, I am willing to implement it.
@susanshi susanshi added bug Something isn't working triage Needs investigation labels May 9, 2024
@susanshi
Copy link
Collaborator Author

susanshi commented May 9, 2024

@akashsinghal , does the notation trust policy have the same limitation?
For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.

@susanshi susanshi changed the title https://github.com/deislabs/ratify-web/blob/e0d548665d273502be477559d10fc02911348c51/docs/plugins/Verifier/cosign.md#trust-policy failed to get trust policy: no policy found for reference when scope matching with image:tag May 9, 2024
@binbin-li
Copy link
Collaborator

binbin-li commented May 9, 2024
edited

@akashsinghal , does the notation trust policy have the same limitation? For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.

In terms of notation spec on trust policy, the scope can be either * or a path to repo. So it will not have the issue parsing image tag to digest.

https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#oci-trust-policy-constraints

@akashsinghal akashsinghal self-assigned this May 13, 2024
@akashsinghal
Copy link
Collaborator

I've added a note in the documentation about this behavior. At this point, I think that's all that we will support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akashsinghal akashsinghal

Labels
bug Something isn't working triage Needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@binbin-li @susanshi @akashsinghal