search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
696 stars 133 forks source link

Resolve-tags gives UNAUTHORIZED #366

Open steakunderscore opened 5 years ago

steakunderscore commented 5 years ago

Expected Behaviour

I have an image in a private registry gcr.io/some-project/foo:v1.0.0, how can I get resolve-tags to resolve the image tag to digest?

There's reference to this issue in docs/tutorial.md. But it has been left as a TODO.

Actual Behavior

Currently trying to call resolve-tags with a k8s config including the provate image fails giving the error:

Error: unable to resolve: Digest(gcr.io/private-project/foo:v1.0.0): UNAUTHORIZED: "You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"

Steps to Reproduce the Problem

Where gcr.io/private-project/foo:v1.0.0 is an image in a registry which is private.

  1. cat /tmp/test.yaml 
    apiVersion: v1
kind: Pod
metadata:
labels:
app: test
spec:
containers:
- image: gcr.io/private-project/foo:v1.0.0
name: foo
  2. make ./out/resolve-tags 
    mkdir -p ./out
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "" -tags "" -o out/resolve-tags-linux-amd64 github.com/grafeas/kritis/cmd/kritis/kubectl/plugins/resolve
cp ./out/resolve-tags-linux-amd64 out/resolve-tags
  3. ./out/resolve-tags -f /tmp/test.yaml 
    Error: unable to resolve: Digest(gcr.io/private-project/foo:v1.0.0): UNAUTHORIZED: "You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"

Additional info

Note that I have replaced my actual project and image name.

aysylu commented 5 years ago

Hi @steakunderscore, thanks for filing the issue. Would you be interested in driving the fix? Happy to review the PR and discuss any questions that might come up.

steakunderscore commented 5 years ago

Hi @aysylu, sure thing. I should have time to get to this coming week. I was looking at how crane works in the same regard. I think I'll use it as inspiration.

aysylu commented 5 years ago

@steakunderscore perfect, looking forward to your contribution! Could you please clarify which part of crane you're specifically interested in adopting?

steakunderscore commented 5 years ago

I was specifically thinking about crane digest which does almost exactly what resolve-tags does, however seems to try using the ~/.docker/config before falling back to unauthenticated access to the registry. Should be a couple of lines of code changed, plus some better docs.

sharkannon commented 5 years ago

Do you guys know a work around for this? I'm working on implementing Kritis/BinAuthz in GCP and w/out this tool it makes things a lot more difficult (Having the same problem)

andyroyle commented 4 years ago

I stumbled across this recently when trying to get the plugin to work using a private registry. According to the docs for the authn package in go-containerregistry it should be pretty simple, but y'know, famous last words.

I'll be poking about this week to see if I can get it working

ooq commented 4 years ago

That would be great! @andyroyle