search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
694 stars 134 forks source link

Kritis-Signer don't allow to use Artifact Registry repositories. #613

Closed xkobal closed 2 years ago

xkobal commented 2 years ago

Expected Behavior

Allow to check & sign an image hosted on a docker repository made with GCP Artifact Registry.

Actual Behavior

As mentioned on this blog post, https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry Artifact Registry is the recommanded kind of registry now, as Container Registry won't have new features.

I have a complete GCB working workfow with Kritis-Signer, K8s Binary Authorization. It works like a charm on *.gcr.io repositories. I was doing some tests to begin to migrate my docker images to Artifact Registry: *-docker.pkg.dev.

But when I try to check my images, it give me an error: Found err europe-docker.pkg.dev/[PROJECT]/vulnerability-check/test@sha256:[SHA256] is not a valid image hosted in GCR

The error is coming from this ligne of code: https://github.com/grafeas/kritis/blob/faeba81c520ca742fe378cc87d99e04bdda098c1/pkg/kritis/metadata/containeranalysis/containeranalysis.go#L185

I don't know if it just a problem of the ckeck, or if Kritis Signer doesn't work at all with Artifact Registry.

Steps to Reproduce the Problem

Environment, commands

  1. Create and pull a docker image on Artifact Registry: https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling
  2. Set up the Kritis Signer custom builder on artifact registry (update the deploy/kritis-signer/cloudbuild.yaml to change the target repository.
  3. Run a GCP Step to check the image: 
    - name: europe-docker.pkg.dev/shipfix-registry/global/kritis-signer
entrypoint: /bin/bash
args:
- -c
- |
  /kritis/signer \
  -v=10 \
  -alsologtostderr \
  -image=europe-docker.pkg.dev/[PROJECT]/vulnerability-check/test@sha256:[SHA256] \
  -policy=cloudbuild/kritis-policy.yaml \
  -mode=check-only

Thank you for your help.

xkobal commented 2 years ago

I have my answer, it just coming from the isRegistryGCR function. The library is working like a charm when I skip this check. I will try to make a Pull Request to develop this feature.

ooq commented 2 years ago

Hi @xkobal Thanks for reporting this issue and send over the fix! I'll get to the PR.

xkobal commented 2 years ago

The merge of the PR fix the issue. Thanks for quick merging.