search

github / policy-controller

Temporary GitHub managed Sigstore Policy Controller fork
Apache License 2.0
2 stars 1 forks source link

no bundle found in referrers #179

Open julien-michaud opened 1 month ago

julien-michaud commented 1 month ago

Hello 👋

We are signing our docker images with the actions/attest-build-provenance@v1 Action.

We are trying to use the controller from this repository to verify images in our k8s clusters but we are having this issue when submitting new pods:

Error from server (BadRequest): error when creating "pod.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: github-policy: spec.template.spec.containers[0].image europe-docker.pkg.dev/project/company-prod/kube/mp/tiny-developer-tools@sha256:abd5c78061356d3f9b14475a1afd11c68baf6c89c03a036b442ef7d520556fcd no bundle found in referrers

Is the problem on my end ?

snippet of the workflow creating, pushing and signing the image

      - name: Build Docker image
        id: image-results
        if: ${{ !inputs.dry-run }}
        uses: docker/build-push-action@v6
        with:
          context: .
          file: production/kubernetes/marketplace/containers/jre/Dockerfile
          pull: true
          push: true
          platforms: linux/amd64
          tags: ${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}:${{ inputs.version }}
          build-args: |
            MIRAKL_VERSION=${{ inputs.version }}
            EXTRA_PACKAGES=${{ inputs.kubernetes-build-extra-packages }}
            BASE_IMAGE=jre${{ steps.java-major.outputs.JAVA_MAJOR_VERSION }}
            BASE_IMAGE_VERSION=stable

      # attest image
      - uses: actions/attest-build-provenance@v1
        if: ${{ !inputs.dry-run }}
        with:
          subject-digest: ${{steps.image-results.outputs.digest}}
          subject-name: '${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}'
          push-to-registry: true

Thanks

probably related to this issue https://github.com/sigstore/policy-controller/issues/1406

codysoyland commented 1 week ago

Hi @julien-michaud! Thank you for the report. I'm sorry for the delayed response. I don't see anything obviously wrong with your configuration, so I'd like to gather a bit more information to assess the problem.

Could you please confirm that you've followed the instructions here to install the latest version of the two helm charts (policy-controller and trust-policies)?

Do you have logs from your GitHub Actions workflow run that indicate that the attestation was successfully pushed to your registry? And can you verify that the image digest in the actions run matches the digest that you are running in Kubernetes?