Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I configured a "static" authorities but nothing help, is there anything wrong? #888

Open
yxxchange opened this issue Jul 10, 2023 · 3 comments
Open

I configured a "static" authorities but nothing help, is there anything wrong? #888

yxxchange opened this issue Jul 10, 2023 · 3 comments
Labels
question Further information is requested

Comments

@yxxchange
Copy link

Question

The relevant YAML configuration that I have set up is shown below.
CIP yaml:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
    - glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test:**"
  authorities:
    - static:
        action: pass

deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sigstore-test-deployment
  namespace: sigstore-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sigstore-test
  template:
    metadata:
      labels:
        app: sigstore-test
    spec:
      containers:
      - name: sigstore-test-01
        image: registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test:v0.1
        imagePullPolicy: Always
        ports:
        - containerPort: 80

But I can't apply the deployment.yaml, The webhook prevented this action. Error is the following:

Error from server (BadRequest): error when creating "deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: no matching policies: spec.template.spec.containers[0].image
registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136

How to solve this problem.
@yxxchange yxxchange added the question Further information is requested label Jul 10, 2023
@hectorj2f
Copy link
Collaborator

@ElonMuskkkkkk Try using glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test**" instead.

@yxxchange
Copy link
Author

@ElonMuskkkkkk Try using glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test**" instead.

Based on my recent test, it seems that the image field in the CIP YAML can only be specified to a particular image but not to the image version. When I don't use a wildcard match and write the full image name and version together, it still fails. It's only when I remove the image version that I can use it properly.

@hectorj2f
Copy link
Collaborator

@ElonMuskkkkkk If you specify the tag that won't match the final mutated image tag which is registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136. You could use registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136 as part of the glob pattern if you really want to match a specific image digest. Or you could use image digests that include the image version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hectorj2f @yxxchange