search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
696 stars 133 forks source link

panic when an image name is formatted with unspecified tag or digest #508

Open julianvmodesto opened 4 years ago

julianvmodesto commented 4 years ago

Expected Behavior

I expect for a Pod with a specified image without any tag or digest specified to be validated, such as gcr.io/my-project/nginx (as opposed to gcr.io/my-project/nginx:latest).

Actual Behavior

I receive the following error:

$ kubectl apply -f app.yaml
Error from server (InternalError): error when creating "resolve.yaml": Internal error occurred: failed calling webhook "kritis-validation-hook.grafeas.io": Post https://kritis-validation-hook.default.svc:443/?timeout=30s: stream error: stream ID 1; INTERNAL_ERROR

This issue is similar to: https://github.com/grafeas/kritis/issues/82

Steps to Reproduce the Problem

Apply an image without any tag or digest specified, such as gcr.io/my-project/nginx

Additional info

Panic:

kritis-validation-hook-685b4bc677-kjfdt kritis-server 2020/05/14 21:20:59 http2: panic serving 172.16.17.10:45338: runtime error: invalid memory address or nil pointer dereference
kritis-validation-hook-685b4bc677-kjfdt kritis-server goroutine 822 [running]:
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler.func1(0xc0000c8078, 0xc000527faf, 0xc00050c780)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5681 +0x16b
kritis-validation-hook-685b4bc677-kjfdt kritis-server panic(0x123a460, 0x212e600)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/runtime/panic.go:522 +0x1b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.(*PgpKey).Fingerprint(...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:69
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/secrets.KeyAndFingerprint(0x0, 0x0, 0x472552, 0x3, 0x409e13, 0xc000526560, 0x47214a, 0xc0001bf980)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/secrets/pgpkey.go:127 +0x10b
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.(*AttestorValidatingTransport).GetValidatedAttestations(0xc000107340, 0xc000599580, 0x19, 0xc00042e240, 0x14, 0x13c87e6, 0x11, 0x13be9c0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/validating_transport.go:44 +0xaf
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.findUnsatisfiedAuths(0xc00044e540, 0xc000599580, 0x19, 0xc000106840, 0x1, 0x1, 0x159f640, 0xc00044e390, 0x0, 0xc00026c320, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:149 +0x203
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/review.Reviewer.ReviewGAP(0xc00044e540, 0xc00063a190, 0x1, 0x1, 0xc00014c000, 0x1, 0x1, 0xc000236380, 0x159f640, 0xc00044e390, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/review/review.go:77 +0x24c
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewGenericAttestationPolicy(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc00014c000, 0x1, 0x1, ...)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:318 +0x2b5
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewImages(0xc00063a190, 0x1, 0x1, 0xc00054c6d0, 0x7, 0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:270 +0x849
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.reviewPod(0xc000236380, 0xc000626480, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:336 +0x1f1
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.handlePod(0xc000626390, 0xc000626480, 0xc000458a50, 0xc000598601, 0x18)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:138 +0x148
kritis-validation-hook-685b4bc677-kjfdt kritis-server github.com/grafeas/kritis/pkg/kritis/admission.ReviewHandler(0x15aca00, 0xc0000c8078, 0xc00015ed00, 0xc000458a50)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/pkg/kritis/admission/admission.go:213 +0x391
kritis-validation-hook-685b4bc677-kjfdt kritis-server main.main.func1(0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /go/src/github.com/grafeas/kritis/cmd/kritis/admission/main.go:138 +0x48
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.HandlerFunc.ServeHTTP(0xc0003963b0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:1995 +0x44
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*ServeMux).ServeHTTP(0x21479a0, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2375 +0x1d6
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.serverHandler.ServeHTTP(0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:2774 +0xa8
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.initNPNRequest.ServeHTTP(0xc0004a2380, 0xc0002f5790, 0x15aca00, 0xc0000c8078, 0xc00015ed00)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/server.go:3323 +0x8d
kritis-validation-hook-685b4bc677-kjfdt kritis-server net/http.(*http2serverConn).runHandler(0xc00050c780, 0xc0000c8078, 0xc00015ed00, 0xc00034acc0)
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5688 +0x89
kritis-validation-hook-685b4bc677-kjfdt kritis-server created by net/http.(*http2serverConn).processHeaders
kritis-validation-hook-685b4bc677-kjfdt kritis-server   /usr/local/go/src/net/http/h2_bundle.go:5422 +0x4f4
liuplgtm commented 4 years ago

hi, @julianvmodesto looks like there are internal checks that expect ":" in your input, can you log the execution to check it? I do not have the code to reproduce the issue.

please see the following call stack: https://github.com/grafeas/kritis/blob/a50de654cd2b2f25cacc10f93e4ac2f213e94e3c/pkg/kritis/metadata/containeranalysis/containeranalysis.go#L171 https://github.com/grafeas/kritis/blob/a50de654cd2b2f25cacc10f93e4ac2f213e94e3c/vendor/github.com/google/go-containerregistry/pkg/name/ref.go#L41 https://github.com/grafeas/kritis/blob/a50de654cd2b2f25cacc10f93e4ac2f213e94e3c/vendor/github.com/google/go-containerregistry/pkg/name/tag.go#L79

julianvmodesto commented 4 years ago

Whoops, yeah I misread this error... it seems like I'm seeing the panic for a completely different reason related to a PGP policy.

liuplgtm commented 4 years ago

if it fails the check that the input should have ":", the PGP related fingerprint may not be generated, which leads to the nil dereference. Can you log the run to see if the check fails,