search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
699 stars 135 forks source link

signer does not timeout waiting for the container analysis of an image #584

Closed mvanholsteijn closed 3 years ago

mvanholsteijn commented 4 years ago

Expected Behavior

The signer times out with an error check-and-sign when no container analysis is completed within the default timeout period.

Actual Behavior

the signer waits ad infinitum

Steps to Reproduce the Problem

signer \
        -mode check-and-sign \
        -policy policy.yaml \
        -note_name projects/my-project/notes/passed-vulnerabilityscan \
        -kms_key_name projects/my-project/locations/eur4/keyRings/vul_scanner_attestors/cryptoKeys/vulnz-attestor-J5k/cryptoKeyVersions/1 \
        -kms_digest_alg SHA384 \
        -image eu.gcr.io/my-project/my-image@sha256:f86657a463e3de9e5176e4774640c76399b2480634af97f45354f1553e372cc -logtostderr \
        -vulnz_timeout 5s

will just print:

I1105 15:05:06.503965   61633 main.go:147] Signer mode: check-and-sign.
I1105 15:05:06.504940   61633 main.go:182] Policy req: {MEDIUM MEDIUM [projects/goog-vulnz/notes/CVE-2020-10543 projects/goog-vulnz/notes/CVE-2020-10878 projects/goog-vulnz/notes/CVE-2020-14155]}

Even though the image does not even exist. When the code is fixed it should show:

\F1105 15:16:10.091367   62309 main.go:190] Error waiting for vulnerability analysis failed to find a container analysis discovery occurrence for eu.gcr.io/my-project/my-image@sha256:f86657a463e3de9e5176e4774640c76399b2480634af97f45354f1553e372cc