search

kubewarden / kwctl

Go-to CLI tool for Kubewarden users
https://kubewarden.io
Apache License 2.0
73 stars 15 forks source link

kwctl.exe pull and policies errors #105

Closed nunix closed 2 years ago

nunix commented 2 years ago

Version used: kwctl 0.2.4

kwctl pull error

When running kwctl.exe pull, I get the following error:

kwctl.exe pull registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9
Error: missing field `auths` at line 1 column 24

Workaround and expected behavior

As hinted by @ereslibre , the issue seems to be related with the Docker config file, as I do have Docker Desktop installed:

cat $env:USERPROFILE\.docker\config.json
{"credsStore":"desktop"}

mv $env:USERPROFILE\.docker\config.json $env:USERPROFILE\.docker\config.json.bak

kwctl.exe pull registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9

kwctl policies error

After running the kwctl.exe pull ..., if I try to list the policies, I have the following error:

kwctl.exe pull registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9

kwctl.exe policies
Error: Unexpected EOF (at offset 0)

Additional notes

I remarked that when I run kwctl.exe pull ..., the command ends very fast. Like it didn't pull the policy.

I could confirm the behavior, but using the option --output-path, which took more time and downloaded the policy as it should:

kwctl.exe pull --output-path $env:USERPROFILE\pod-privileged registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.9

kwctl.exe policies
Error: Unexpected EOF (at offset 0)

 kwctl inspect $env:USERPROFILE\pod-privileged
Details
title:              pod-privileged
description:        Limit the ability to create privileged containers
author:             Flavio Castelli
url:                https://github.com/kubewarden/pod-privileged-policy
source:             https://github.com/kubewarden/pod-privileged-policy
license:            Apache-2.0
mutating:           false
context aware:      false
execution mode:     kubewarden-wapc
protocol version:   1

Annotations
io.kubewarden.kwctl 0.1.9

Rules
────────────────────
---
- apiGroups:
    - ""
  apiVersions:
    - v1
  resources:
    - pods
  operations:
    - CREATE
────────────────────

Usage
This policy doesn't have a configuration. Once enforced, it will reject
the creation of Pods that have at least a privileged container defined.

expected behavior

When running the kwctl.exe pull ..., it *really" pulls the policy to a local path (i.e. on Linux it's .cache/kubewarden/store/registry/ghcr.io/kubewarden/policies for the registry policies).

When running kwctl.exe inspect, I have the list of policies downloaded.

Thanks in advance for your help 😄

nunix commented 2 years ago

After checking where the local store is located ($env:USERPROFILE\AppData\Local\kubewarden\cache\store), I could see that the file is empty and the permissions of the directory are set to have read-only files only: image

Even if I remove the option and make the directory and files read/write, once I pull a policy it re-enables the read-only permission for files. This might be how the writing of the file is done by kwctl.