IBM / portieris

A Kubernetes Admission Controller for verifying image trust.
Apache License 2.0
332 stars 78 forks source link

trust policy denied for various quay.io images #131

Open jeffhoek opened 4 years ago

jeffhoek commented 4 years ago

What commit ID of Portieris did you experience the problem with?

master branch (4311d26)

What went wrong?

Portieris logs indicate several managed images from quay.io/openshift-release-dev/* are being denied in several openshift-* namespaces. The cluster is still operational, but over time may become unstable due to these managed images being unable to update.

What should have happened differently?

Portieris logs should be free of Deny on images which are part of the managed service.

How can it be reproduced?

Install Portieris and inspect the logs.

helm upgrade --install portieris --set namespace=portieris helm/portieris
oc logs deployment.apps/portieris

Any other relevant information

Environment is IBM managed OpenShift 4.3 (ROKS).

I0619 13:27:47.151648       1 controller.go:65] Processing admission request for UPDATE on cluster-node-tuning-operator
I0619 13:27:47.162482       1 controller.go:111] Getting policy for container image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:469b7e1f07d0f9b6fbf792a9b7582122cfee315f44cee6ba6ea6c1c46b19f0d0   namespace: openshift-cluster-node-tuning-operator
E0619 13:27:47.191509       1 controller.go:174] Secret cluster-node-tuning-operator-dockercfg-4mzpp not defined for registry: quay.io
I0619 13:27:47.191533       1 controller.go:191] policy.Simple {[]  }
E0619 13:27:47.191548       1 responder.go:87] trust: policy denied the request: Deny "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:469b7e1f07d0f9b6fbf792a9b7582122cfee315f44cee6ba6ea6c1c46b19f0d0", no valid ImagePullSecret defined for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:469b7e1f07d0f9b6fbf792a9b7582122cfee315f44cee6ba6ea6c1c46b19f0d0
I0619 13:27:47.191555       1 controller.go:150] Deny
I0619 13:27:50.892149       1 controller.go:65] Processing admission request for UPDATE on openshift-service-catalog-controller-manager-operator
I0619 13:27:50.902123       1 controller.go:111] Getting policy for container image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3822b76b6f849a12bd0736e8b7bf54d0b372aab627ce4a3cd4e986ab245b52ec   namespace: openshift-service-catalog-controller-manager-operator
E0619 13:27:50.937888       1 controller.go:174] Secret openshift-service-catalog-controller-m-467fb4d3-dockercfg-d26rb not defined for registry: quay.io
I0619 13:27:50.937925       1 controller.go:191] policy.Simple {[]  }
E0619 13:27:50.937944       1 responder.go:87] trust: policy denied the request: Deny "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3822b76b6f849a12bd0736e8b7bf54d0b372aab627ce4a3cd4e986ab245b52ec", no valid ImagePullSecret defined for quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3822b76b6f849a12bd0736e8b7bf54d0b372aab627ce4a3cd4e986ab245b52ec
I0619 13:27:50.937953       1 controller.go:150] Deny
I0619 13:27:51.626686       1 controller.go:65] Processing admission request for UPDATE on prometheus-operator
I0619 13:27:51.638030       1 controller.go:111] Getting policy for container image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6e5790607bce798d18473cad8aa18cbc16bf425451d33f05a990da1a8e569ed9   namespace: openshift-monitoring
E0619 13:27:51.670806       1 controller.go:174] Secret prometheus-operator-dockercfg-f9lj7 not defined for registry: quay.io
I0619 13:27:51.670830       1 controller.go:191] policy.Simple {[]  }
...

After running Portieris for ~24 hours the logs indicate the following namespaces are affected:

openshift-cluster-node-tuning-operator
openshift-cluster-samples-operator
openshift-cluster-storage-operator
openshift-console-operator
openshift-image-registry
openshift-ingress
openshift-ingress-operator
openshift-marketplace
openshift-monitoring
openshift-operator-lifecycle-manager
openshift-service-catalog-apiserver-operator
openshift-service-catalog-controller-manager-operator

In order to fix we may need another entry to the ClusterImagePolicy:

    - name: "quay.io/openshift-release-dev/*"
      policy:
sjhx commented 4 years ago

Hi Jeff, I think this PR will make your change (which is on your fork?) redundant.