Fetching container image config is failing

[jvanz]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

During the testing of the v1.15.0 release candidates we found that the policy is crashing (version v0.6.0) when requesting the container image configuration from the registry:

policy-server-default 2024-07-25T15:29:02.000833Z ERROR request{method=POST uri=/validate/clusterwide-do-not-run-as-root?timeout=10s version=HTTP/1.1}:validation{host="policy-server-default-64956c798f-v5vjm" policy_id="clusterwide-do-not-run-as-root" kind="Pod" kind_group="" kind_version="v1" name="" namespace="default
" operation="CREATE" request_uid="68735028-41b0-4ed0-87bd-c23b102bec80" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"rule": String("RunAsAny")}, "run_as_user": Object {"rule": String("MustRunAsNonRoot")}, "su
pplemental_groups": Object {"rule": String("RunAsAny")}, "validate_container_image_configuration": Bool(true)}}: wasmtime_provider: Failure invoking guest module handler: error while executing at wasm backtrace:
policy-server-default     0: 0x174348 - user_group_psp.wasm!__rust_alloc
policy-server-default     1: 0x159fe9 - user_group_psp.wasm!wapc_guest::protocol::host_call::hd7c0336615a6a914
policy-server-default     2: 0xec82c - user_group_psp.wasm!kubewarden_policy_sdk::host_capabilities::oci::get_manifest_and_config::h803fae37c19f4dec
policy-server-default     3: 0x4ded9 - user_group_psp.wasm!user_group_psp::enforce_container_security_policies::h4214b9038ed52ddd
policy-server-default     4: 0x246fa - user_group_psp.wasm!user_group_psp::validate::h1b0f7d0e060e55cd
policy-server-default     5: 0xbb0db - user_group_psp.wasm!__guest_call
policy-server-default     6: 0x1755cc - user_group_psp.wasm!__guest_call.command_export
policy-server-default
policy-server-default Caused by:
policy-server-default     wasm trap: interrupt
policy-server-default 2024-07-25T15:29:02.000922Z ERROR request{method=POST uri=/validate/clusterwide-do-not-run-as-root?timeout=10s version=HTTP/1.1}:validation{host="policy-server-default-64956c798f-v5vjm" policy_id="clusterwide-do-not-run-as-root" kind="Pod" kind_group="" kind_version="v1" name="" namespace="default
" operation="CREATE" request_uid="68735028-41b0-4ed0-87bd-c23b102bec80" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"rule": String("RunAsAny")}, "run_as_user": Object {"rule": String("MustRunAsNonRoot")}, "su
pplemental_groups": Object {"rule": String("RunAsAny")}, "validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::wapc::runtime: waPC communication error error="Guest call failure: guest code interrupted, execution deadline exceeded"

We need to investigate if this is an issue in the policy or in the new capability.

Expected Behavior

The policy should evaluate the requests without crashing.

Steps To Reproduce

1. Install Kubewarden
2. Deploy the user-group-policy version v0.6.0
3. Perform an evaluation

Environment

No response

Anything else?

No response

[viccuad]

Here's the logs from the policy-server,

Click me

Running: ``` cargo run --release -- --policies policies.yml --workers 2 \ --log-fmt otlp --log-level debug \ --ignore-kubernetes-connection-failure --disable-timeout-protection ``` With in my case a curl hitting `localhost:3000/validate/user-group-psp-policy` for a pod with docker.io nginx. ``` 2024-07-29T14:26:48.542077Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}: tower_http::trace::on_request: started processing request 2024-07-29T14:26:48.542350Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy"}: policy_server::api::handlers: admission_review={"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1","request":{"uid":"1299d386-525b-4032-98ae-1949f69f9cfc","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"nginx","namespace":"default","operation":"CREATE","userInfo":{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"},"object":{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"env\":\"test\"},\"name\":\"nginx\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"nginx\"}],\"tolerations\":[{\"effect\":\"NoSchedule\",\"key\":\"example-key\",\"operator\":\"Exists\"}]}}\n"},"creationTimestamp":"2020-11-12T15:18:36Z","labels":{"env":"test"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:env":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"nginx\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{},"f:tolerations":{}}},"manager":"kubectl","operation":"Update","time":"2020-11-12T15:18:36Z"}],"name":"nginx","namespace":"default","uid":"04dc7a5e-e1f1-4e34-8d65-2c9337a43e64"},"spec":{"containers":[{"command":["sleep","1h"],"image":"alpine","imagePullPolicy":"IfNotPresent","name":"sleeping-sidecar","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-pvpz7","readOnly":true}]},{"image":"nginx","imagePullPolicy":"IfNotPresent","name":"nginx","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-pvpz7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority","priority":0,"restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300},{"effect":"NoSchedule","key":"dedicated","operator":"Equal","value":"tenantA"}],"volumes":[{"name":"default-token-pvpz7","secret":{"secretName":"default-token-pvpz7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"dryRun":false,"options":{"apiVersion":"meta.k8s.io/v1","kind":"CreateOptions"}}} 2024-07-29T14:26:48.542528Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}: policy_server::evaluation::evaluation_environment: validate individual policy policy_id=Policy("user-group-psp-policy") 2024-07-29T14:26:48.542902Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:48.542947Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:48.543332Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:48.543384Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:48.543964Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:48.544026Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::wapc::callback: invoking host_callback wapc_id=10 2024-07-29T14:26:48.544070Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::callback: Sending request via callback channel eval_ctx.policy_id="user-group-psp-policy" binding="kubewarden" operation="v1/oci_manifest_config" image="alpine" 2024-07-29T14:26:48.548818Z DEBUG policy_fetcher::registry: Couldn't fetch credentials. Using anonymous instead error=ConfigReadError registry=docker.io 2024-07-29T14:26:48.548955Z DEBUG oci_distribution::client: Pulling image manifest from https://index.docker.io/v2/library/alpine/manifests/latest 2024-07-29T14:26:48.548987Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/alpine key.operation=Pull miss=true 2024-07-29T14:26:48.549004Z DEBUG oci_distribution::client: Authorizing for image: Reference { registry: "docker.io", repository: "library/alpine", tag: Some("latest"), digest: None } 2024-07-29T14:26:48.549020Z DEBUG oci_distribution::client: url="https://index.docker.io/v2/" 2024-07-29T14:26:48.549058Z DEBUG reqwest::connect: starting new connection: https://index.docker.io/ 2024-07-29T14:26:48.889821Z DEBUG oci_distribution::client: Making authentication call realm="https://auth.docker.io/token" service=Some("registry.docker.io") scope="repository:library/alpine:pull" 2024-07-29T14:26:48.889905Z DEBUG reqwest::connect: starting new connection: https://auth.docker.io/ 2024-07-29T14:26:49.500806Z DEBUG oci_distribution::client: Received response from auth request: {"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFRmpDQ0F2NmdBd0lCQWdJVVZOajJRbU1JWnUzeGl0NUJ1RTlvRWdoVU5KUXdEUVlKS29aSWh2Y05BUUVMQlFBd2dZWXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSEV3bFFZV3h2SUVGc2RHOHhGVEFUQmdOVkJBb1RERVJ2WTJ0bGNpd2dTVzVqTGpFVU1CSUdBMVVFQ3hNTFJXNW5hVzVsWlhKcGJtY3hJVEFmQmdOVkJBTVRHRVJ2WTJ0bGNpd2dTVzVqTGlCRmJtY2dVbTl2ZENCRFFUQWVGdzB5TkRBeE1UWXdOak0yTURCYUZ3MHlOVEF4TVRVd05qTTJNREJhTUlHRk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnhNSlVHRnNieUJCYkhSdk1SVXdFd1lEVlFRS0V3eEViMk5yWlhJc0lFbHVZeTR4RkRBU0JnTlZCQXNUQzBWdVoybHVaV1Z5YVc1bk1TQXdIZ1lEVlFRREV4ZEViMk5yWlhJc0lFbHVZeTRnUlc1bklFcFhWQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWI4eHR6ZDQ1UWdYekV0bWMxUEJsdWNGUnlzSUF4UUJCN3lSNjdJemdMd05IS24rbUdKTzV5alh6amtLZm5zWm1JRURnZFlraEpBbGNYYTdQa1BFaCtqcTRGNWNaaWtkTmFUQmM3alNkTFJzTVlVa3dwWTl4WUVqYitCYnVGUWVxa0R2RXNqbFJJTzRQK0FsRlhNMDhMYlpIZ3hFWUdkbFk3WFlhT1BLMmE1aUd2eVFRb09GVmZjZDd2ekhaREVBMHZqVmU1M0xLdjVMYmh6TzcxZHRxS0RwNEhnVWR5N1pENDFNN3I1bTd5eE1LeFNpQmJHZTFvem5Wamh1ck5GNHdGSml5bVU4YkhTV2tVTXVLQ3JTbEd4d1NCZFVZNDRyaEh2UW5zYmgzUFF2TUZTWTQ4REdoNFhUUldjSzFWUVlSTnA2ZWFXUVg1RUpJSXVJbjJQOVBzQ0F3RUFBYU43TUhrd0RnWURWUjBQQVFIL0JBUURBZ0dtTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSnVRYXZTZHVScm5kRXhLTTAwV2Z2czh5T0RaTUI4R0ExVWRJd1FZTUJhQUZGSGVwRE9ZQ0Y5Qnc5dXNsY0RVUW5CalU3MS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDWW0xUVorUUZ1RVhkSWpiNkg4bXNyVFBRSlNnR0JpWDFXSC9QRnpqZlJGeHc3dTdDazBRb0FXZVNqV3JWQWtlVlZQN3J2REpwZ0ZoeUljdzNzMXRPVjN0OGp3cXJTUmc2R285dUd2OG9IWUlLTm9YaDErUFVDTG44b0JwYUJsOUxzSWtsL2FHMG9lY0hrcDVLYmtBNjN6eTFxSUVXNFAzWVJLSk9hSGoxYWFiOXJLc3lRSHF6SUl4TnlDRVVINTMwU1B4RUNMbE53YWVKTDVmNXIxUW5wSi9GM3Q5Vk8xZ0Y2RFpiNitPczdTV29ocGhWZlRCOERkL1VjSk1VOGp2YlF3MWRVREkwelNEdXo2aHNJbGdITk0yak04M0lOS1VqNjNaRDMwRG15ejQvczFFdGgyQmlKK2RHdnFpQkRzaWhaR0tyQnJzUzhWVkRBd3hDeDVRMyJdfQ.eyJhY2Nlc3MiOlt7ImFjdGlvbnMiOlsicHVsbCJdLCJuYW1lIjoibGlicmFyeS9hbHBpbmUiLCJwYXJhbWV0ZXJzIjp7InB1bGxfbGltaXQiOiIxMDAiLCJwdWxsX2xpbWl0X2ludGVydmFsIjoiMjE2MDAifSwidHlwZSI6InJlcG9zaXRvcnkifV0sImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5pbyIsImV4cCI6MTcyMjI2MzUwOSwiaWF0IjoxNzIyMjYzMjA5LCJpc3MiOiJhdXRoLmRvY2tlci5pbyIsImp0aSI6ImRja3JfanRpX3lISUlDeXdCTFRvcXppdS02cFdkUzVRYzAtYz0iLCJuYmYiOjE3MjIyNjI5MDksInN1YiI6IiJ9.L9jznjwToPfD1pAyecVdJbFhgL5aZa8C5jxo-Oc2KKnQMIcw-j9sBmFR7h9pJJleakoQObMdCKlNWwZwN_NrDoI3P46zEC2ZGnaCc1RzylskXzc9zWRnNNFs26poNCgP91bqoSztQO-78DRaYwJ-xNxyA9Qc-X1tHGL4p4qge1iRt6JhCXAiLsPuMH8NaPBo_aUBKlOO7qvT3K2PasHswUJR78ADBPNcM-BWb8A9YkQygmBoWbcmwr_zrn4W0N92cTMMEUOIKn5vr6ZDwP2fU2V0AdDo-Ax0Rld8LPt8r4zWRrdgokCgHaQzhRLJgQ3stCSO8gJcYgGPsDCuvpRWLA","access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFRmpDQ0F2NmdBd0lCQWdJVVZOajJRbU1JWnUzeGl0NUJ1RTlvRWdoVU5KUXdEUVlKS29aSWh2Y05BUUVMQlFBd2dZWXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSEV3bFFZV3h2SUVGc2RHOHhGVEFUQmdOVkJBb1RERVJ2WTJ0bGNpd2dTVzVqTGpFVU1CSUdBMVVFQ3hNTFJXNW5hVzVsWlhKcGJtY3hJVEFmQmdOVkJBTVRHRVJ2WTJ0bGNpd2dTVzVqTGlCRmJtY2dVbTl2ZENCRFFUQWVGdzB5TkRBeE1UWXdOak0yTURCYUZ3MHlOVEF4TVRVd05qTTJNREJhTUlHRk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnhNSlVHRnNieUJCYkhSdk1SVXdFd1lEVlFRS0V3eEViMk5yWlhJc0lFbHVZeTR4RkRBU0JnTlZCQXNUQzBWdVoybHVaV1Z5YVc1bk1TQXdIZ1lEVlFRREV4ZEViMk5yWlhJc0lFbHVZeTRnUlc1bklFcFhWQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWI4eHR6ZDQ1UWdYekV0bWMxUEJsdWNGUnlzSUF4UUJCN3lSNjdJemdMd05IS24rbUdKTzV5alh6amtLZm5zWm1JRURnZFlraEpBbGNYYTdQa1BFaCtqcTRGNWNaaWtkTmFUQmM3alNkTFJzTVlVa3dwWTl4WUVqYitCYnVGUWVxa0R2RXNqbFJJTzRQK0FsRlhNMDhMYlpIZ3hFWUdkbFk3WFlhT1BLMmE1aUd2eVFRb09GVmZjZDd2ekhaREVBMHZqVmU1M0xLdjVMYmh6TzcxZHRxS0RwNEhnVWR5N1pENDFNN3I1bTd5eE1LeFNpQmJHZTFvem5Wamh1ck5GNHdGSml5bVU4YkhTV2tVTXVLQ3JTbEd4d1NCZFVZNDRyaEh2UW5zYmgzUFF2TUZTWTQ4REdoNFhUUldjSzFWUVlSTnA2ZWFXUVg1RUpJSXVJbjJQOVBzQ0F3RUFBYU43TUhrd0RnWURWUjBQQVFIL0JBUURBZ0dtTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSnVRYXZTZHVScm5kRXhLTTAwV2Z2czh5T0RaTUI4R0ExVWRJd1FZTUJhQUZGSGVwRE9ZQ0Y5Qnc5dXNsY0RVUW5CalU3MS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDWW0xUVorUUZ1RVhkSWpiNkg4bXNyVFBRSlNnR0JpWDFXSC9QRnpqZlJGeHc3dTdDazBRb0FXZVNqV3JWQWtlVlZQN3J2REpwZ0ZoeUljdzNzMXRPVjN0OGp3cXJTUmc2R285dUd2OG9IWUlLTm9YaDErUFVDTG44b0JwYUJsOUxzSWtsL2FHMG9lY0hrcDVLYmtBNjN6eTFxSUVXNFAzWVJLSk9hSGoxYWFiOXJLc3lRSHF6SUl4TnlDRVVINTMwU1B4RUNMbE53YWVKTDVmNXIxUW5wSi9GM3Q5Vk8xZ0Y2RFpiNitPczdTV29ocGhWZlRCOERkL1VjSk1VOGp2YlF3MWRVREkwelNEdXo2aHNJbGdITk0yak04M0lOS1VqNjNaRDMwRG15ejQvczFFdGgyQmlKK2RHdnFpQkRzaWhaR0tyQnJzUzhWVkRBd3hDeDVRMyJdfQ.eyJhY2Nlc3MiOlt7ImFjdGlvbnMiOlsicHVsbCJdLCJuYW1lIjoibGlicmFyeS9hbHBpbmUiLCJwYXJhbWV0ZXJzIjp7InB1bGxfbGltaXQiOiIxMDAiLCJwdWxsX2xpbWl0X2ludGVydmFsIjoiMjE2MDAifSwidHlwZSI6InJlcG9zaXRvcnkifV0sImF1ZCI6InJlZ2lzdHJ5LmRvY2tlci5pbyIsImV4cCI6MTcyMjI2MzUwOSwiaWF0IjoxNzIyMjYzMjA5LCJpc3MiOiJhdXRoLmRvY2tlci5pbyIsImp0aSI6ImRja3JfanRpX3lISUlDeXdCTFRvcXppdS02cFdkUzVRYzAtYz0iLCJuYmYiOjE3MjIyNjI5MDksInN1YiI6IiJ9.L9jznjwToPfD1pAyecVdJbFhgL5aZa8C5jxo-Oc2KKnQMIcw-j9sBmFR7h9pJJleakoQObMdCKlNWwZwN_NrDoI3P46zEC2ZGnaCc1RzylskXzc9zWRnNNFs26poNCgP91bqoSztQO-78DRaYwJ-xNxyA9Qc-X1tHGL4p4qge1iRt6JhCXAiLsPuMH8NaPBo_aUBKlOO7qvT3K2PasHswUJR78ADBPNcM-BWb8A9YkQygmBoWbcmwr_zrn4W0N92cTMMEUOIKn5vr6ZDwP2fU2V0AdDo-Ax0Rld8LPt8r4zWRrdgokCgHaQzhRLJgQ3stCSO8gJcYgGPsDCuvpRWLA","expires_in":300,"issued_at":"2024-07-29T14:26:49.377440628Z"} 2024-07-29T14:26:49.500906Z DEBUG oci_distribution::client: Successfully authorized for image 'Reference { registry: "docker.io", repository: "library/alpine", tag: Some("latest"), digest: None }' 2024-07-29T14:26:49.500982Z DEBUG oci_distribution::token_cache: Inserting token registry=index.docker.io repository=library/alpine op=Pull expiration=1722263509 2024-07-29T14:26:49.501001Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:26:49.654811Z DEBUG oci_distribution::client: validating manifest: {"manifests":[{"digest":"sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"amd64","os":"linux"},"size":528},{"digest":"sha256:5c7e326e3c8a8c51654a6c5d94dac98d7f6fc4b2a762d86aaf67b7e76a6aee46","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v6"},"size":528},{"digest":"sha256:fda9b1b812b25c68f94da5b719039bfa9a3b76e167a8f87e7fc62cb159d21ca1","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v7"},"size":528},{"digest":"sha256:24ba417e25e780ff13c888ccb1badec5b027944666ff695681909bafe09a3944","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm64","os":"linux","variant":"v8"},"size":528},{"digest":"sha256:fa66aa594ffa884dff44f4a97821756545834505df611c375a30c45926402f89","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"386","os":"linux"},"size":528},{"digest":"sha256:a01843eb870e11bb20c78a9068269c810f14dd5c49364064fa3f9cf798f666dd","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"ppc64le","os":"linux"},"size":528},{"digest":"sha256:e99a4d9aa9f905cee4171c6d616e4008fa32202fa8aa8aa65efcafbc3a0f5fa5","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"riscv64","os":"linux"},"size":528},{"digest":"sha256:14da06d3a8959002fd621dd3994a254e2126d239f2fe69e829fd95d16ce81dea","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"s390x","os":"linux"},"size":528}],"mediaType":"application\/vnd.docker.distribution.manifest.list.v2+json","schemaVersion":2} 2024-07-29T14:26:49.654875Z DEBUG oci_distribution::client: Parsing response as Manifest: {"manifests":[{"digest":"sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"amd64","os":"linux"},"size":528},{"digest":"sha256:5c7e326e3c8a8c51654a6c5d94dac98d7f6fc4b2a762d86aaf67b7e76a6aee46","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v6"},"size":528},{"digest":"sha256:fda9b1b812b25c68f94da5b719039bfa9a3b76e167a8f87e7fc62cb159d21ca1","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm","os":"linux","variant":"v7"},"size":528},{"digest":"sha256:24ba417e25e780ff13c888ccb1badec5b027944666ff695681909bafe09a3944","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"arm64","os":"linux","variant":"v8"},"size":528},{"digest":"sha256:fa66aa594ffa884dff44f4a97821756545834505df611c375a30c45926402f89","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"386","os":"linux"},"size":528},{"digest":"sha256:a01843eb870e11bb20c78a9068269c810f14dd5c49364064fa3f9cf798f666dd","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"ppc64le","os":"linux"},"size":528},{"digest":"sha256:e99a4d9aa9f905cee4171c6d616e4008fa32202fa8aa8aa65efcafbc3a0f5fa5","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"riscv64","os":"linux"},"size":528},{"digest":"sha256:14da06d3a8959002fd621dd3994a254e2126d239f2fe69e829fd95d16ce81dea","mediaType":"application\/vnd.docker.distribution.manifest.v2+json","platform":{"architecture":"s390x","os":"linux"},"size":528}],"mediaType":"application\/vnd.docker.distribution.manifest.list.v2+json","schemaVersion":2} 2024-07-29T14:26:49.654943Z DEBUG oci_distribution::client: Inspecting Image Index Manifest 2024-07-29T14:26:49.654953Z DEBUG oci_distribution::client: Selected manifest entry with digest: sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78 2024-07-29T14:26:49.654963Z DEBUG oci_distribution::client: Pulling image manifest from https://index.docker.io/v2/library/alpine/manifests/sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78 2024-07-29T14:26:49.655000Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/alpine key.operation=Pull expiration=1722263509 miss=false expired=false 2024-07-29T14:26:49.655020Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:26:49.792372Z DEBUG oci_distribution::client: validating manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 1471, "digest": "sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 3622892, "digest": "sha256:c6a83fedfae6ed8a4f5f7cbb6a7b6f1c1ec3d86fea8cb9e5ba2e5e6673fde9f6" } ] } 2024-07-29T14:26:49.792429Z DEBUG oci_distribution::client: Parsing response as Manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 1471, "digest": "sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 3622892, "digest": "sha256:c6a83fedfae6ed8a4f5f7cbb6a7b6f1c1ec3d86fea8cb9e5ba2e5e6673fde9f6" } ] } 2024-07-29T14:26:49.792481Z DEBUG oci_distribution::client: Pulling config layer 2024-07-29T14:26:49.792522Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/alpine key.operation=Pull expiration=1722263509 miss=false expired=false 2024-07-29T14:26:49.792545Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:26:49.905314Z DEBUG reqwest::async_impl::client: redirecting 'https://index.docker.io/v2/library/alpine/blobs/sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260' to 'https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/32/324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260/data?verify=1722266209-bObhEbYWJq%2FaZj0uV8kR3f2AEGw%3D' 2024-07-29T14:26:49.905374Z DEBUG reqwest::connect: starting new connection: https://production.cloudflare.docker.com/ 2024-07-29T14:26:50.004569Z DEBUG policy_evaluator::callback_handler: Image manifest computed value="alpine" cached=false 2024-07-29T14:26:50.005026Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:50.005082Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:50.005116Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:50.005156Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:50.005209Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:50.005370Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:50.005413Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:50.005521Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:26:50.005564Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"run_as_group": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "run_as_user": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "supplemental_groups": Object {"ranges": Array [Object {"max": Number(2000), "min": Number(1000)}, Object {"max": Number(3000), "min": Number(2001)}], "rule": String("MustRunAs")}, "validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:26:50.006260Z DEBUG request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}:validation{host="unknown" policy_id="user-group-psp-policy" kind="Pod" kind_group="" kind_version="v1" name="nginx" namespace="default" operation="CREATE" request_uid="1299d386-525b-4032-98ae-1949f69f9cfc" resource="pods" resource_group="" resource_version="v1" subresource=""}: policy_server::api::handlers: policy evaluated response=AdmissionResponse { uid: "1299d386-525b-4032-98ae-1949f69f9cfc", allowed: false, patch_type: None, patch: None, status: Some(AdmissionResponseStatus { message: Some("Invalid user ID in the container image configuration: \"\""), code: None }), audit_annotations: None, warnings: None } 2024-07-29T14:26:50.006342Z INFO request{method=POST uri=/validate/user-group-psp-policy version=HTTP/1.1}: tower_http::trace::on_response: finished processing request latency=1464 ms status=200 ```

[jvanz]

To simulate this issue, we can use the standalone policy server with the following policies.yaml

{
  "clusterwide-user-group": {
    "namespacedName": {
      "Namespace": "",
      "Name": "user-group"
    },
    "url": "ghcr.io/kubewarden/policies/user-group-psp:v0.6.0",
    "policyMode": "protect",
    "allowedToMutate": true,
    "settings": {
      "validate_container_image_configuration": true,
    }
  }
}

The command to run the policy server can be:

./target/release/policy-server --log-level debug --policies policies.yml --policy-timeout 2

After that, the issue can be trigger using the following request:

Click here to see the whole request json file

```json { "request": { "dryRun": false, "kind": { "group": "apps", "kind": "Deployment", "version": "v1" }, "name": "nginx-deployment", "namespace": "default", "object": { "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "annotations": { "io.kubewarden.policy.echo.create": "true", "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"io.kubewarden.policy.echo.create\":\"true\"},\"labels\":{\"app\":\"nginx\"},\"name\":\"nginx-deployment\",\"namespace\":\"default\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"template-nginx\"}},\"template\":{\"metadata\":{\"labels\":{\"app\":\"template-nginx\"}},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}],\"securityContext\":{\"privileged\":true}}]}}}}\n" }, "creationTimestamp": "2024-07-24T19:23:35Z", "generation": 1, "labels": { "app": "nginx" }, "managedFields": [ { "apiVersion": "apps/v1", "fieldsType": "FieldsV1", "fieldsV1": { "f:metadata": { "f:annotations": { ".": {}, "f:io.kubewarden.policy.echo.create": {}, "f:kubectl.kubernetes.io/last-applied-configuration": {} }, "f:labels": { ".": {}, "f:app": {} } }, "f:spec": { "f:progressDeadlineSeconds": {}, "f:replicas": {}, "f:revisionHistoryLimit": {}, "f:selector": {}, "f:strategy": { "f:rollingUpdate": { ".": {}, "f:maxSurge": {}, "f:maxUnavailable": {} }, "f:type": {} }, "f:template": { "f:metadata": { "f:labels": { ".": {}, "f:app": {} } }, "f:spec": { "f:containers": { "k:{\"name\":\"nginx\"}": { ".": {}, "f:image": {}, "f:imagePullPolicy": {}, "f:name": {}, "f:ports": { ".": {}, "k:{\"containerPort\":80,\"protocol\":\"TCP\"}": { ".": {}, "f:containerPort": {}, "f:protocol": {} } }, "f:resources": {}, "f:securityContext": { ".": {}, "f:privileged": {} }, "f:terminationMessagePath": {}, "f:terminationMessagePolicy": {} } }, "f:dnsPolicy": {}, "f:restartPolicy": {}, "f:schedulerName": {}, "f:securityContext": {}, "f:terminationGracePeriodSeconds": {} } } } }, "manager": "kubectl-client-side-apply", "operation": "Update", "time": "2024-07-24T19:23:35Z" } ], "name": "nginx-deployment", "namespace": "default", "uid": "b64ba9f4-7b86-4d8f-baed-1a24c7d3bb60" }, "spec": { "progressDeadlineSeconds": 600, "replicas": 1, "revisionHistoryLimit": 10, "selector": { "matchLabels": { "app": "template-nginx" } }, "strategy": { "rollingUpdate": { "maxSurge": "25%", "maxUnavailable": "25%" }, "type": "RollingUpdate" }, "template": { "metadata": { "creationTimestamp": null, "labels": { "app": "template-nginx" } }, "spec": { "containers": [ { "image": "nginx:1.14.2", "imagePullPolicy": "IfNotPresent", "name": "nginx", "ports": [ { "containerPort": 80, "protocol": "TCP" } ], "resources": {}, "securityContext": { "privileged": true }, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File" } ], "dnsPolicy": "ClusterFirst", "restartPolicy": "Always", "schedulerName": "default-scheduler", "securityContext": {}, "terminationGracePeriodSeconds": 30 } } }, "status": {} }, "operation": "CREATE", "options": { "apiVersion": "meta.k8s.io/v1", "fieldManager": "kubectl-client-side-apply", "fieldValidation": "Strict", "kind": "CreateOptions" }, "requestKind": { "group": "apps", "kind": "Deployment", "version": "v1" }, "requestResource": { "group": "apps", "resource": "deployments", "version": "v1" }, "resource": { "group": "apps", "resource": "deployments", "version": "v1" }, "uid": "58cc1e64-a8ef-43b2-8757-d8155dabd3c0", "userInfo": { "groups": [ "system:masters", "system:authenticated" ], "username": "system:admin" } } } ```

And curl command:

curl -XPOST --json @request-pretty.json http://localhost:3000/validate/clusterwide-user-group

In the policy server log, it's possible to see the error:

Click here to see the all the logs

```console 2024-07-29T14:56:50.834726Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:56:52.714977Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:56:54.585837Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:56:56.104846Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:56:58.325749Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:56:59.739389Z DEBUG tough::datastore: removing '/tmp/.tmpGxenX5/timestamp.json' 2024-07-29T14:56:59.739757Z DEBUG tough::datastore: removing '/tmp/.tmpGxenX5/snapshot.json' 2024-07-29T14:56:59.841880Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:57:01.780419Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:57:03.648102Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:57:05.513916Z DEBUG reqwest::connect: starting new connection: https://tuf-repo-cdn.sigstore.dev/ 2024-07-29T14:57:06.948554Z DEBUG sigstore::trust::sigstore: trusted_root.json: reading from disk cache 2024-07-29T14:57:06.957376Z INFO policy_server::policy_downloader: policies download download_dir="." policies_count=1 status="init" 2024-07-29T14:57:06.957396Z DEBUG policy_server::policy_downloader: download policy="clusterwide-user-group" 2024-07-29T14:57:06.983290Z INFO policy_server::policy_downloader: policy download name="clusterwide-user-group" path="./registry/ghcr.io/kubewarden/policies/user-group-psp:v0.6.0" sha256sum="6372182d902798617ccf8a1136fe56790664ec1f0deba4e091212d37e97a2542" mutating=true 2024-07-29T14:57:06.983347Z DEBUG policy_server: instantiating wasmtime::Module objects wasm_modules_count=1 2024-07-29T14:57:07.317677Z DEBUG policy_server: module compiled policy_url="ghcr.io/kubewarden/policies/user-group-psp:v0.6.0" 2024-07-29T14:57:07.317720Z DEBUG policy_server::evaluation::evaluation_environment: create wasmtime::Module policy_id=Policy("clusterwide-user-group") 2024-07-29T14:57:07.318884Z DEBUG wasmtime::runtime::code_memory: ignoring section .wasmtime.engine 2024-07-29T14:57:07.318887Z DEBUG wasmtime::runtime::code_memory: ignoring section .symtab 2024-07-29T14:57:07.318888Z DEBUG wasmtime::runtime::code_memory: ignoring section .strtab 2024-07-29T14:57:07.318889Z DEBUG wasmtime::runtime::code_memory: ignoring section .shstrtab 2024-07-29T14:57:07.319065Z DEBUG policy_server::evaluation::evaluation_environment: create PolicyEvaluatorPre policy_id=Policy("clusterwide-user-group") 2024-07-29T14:57:07.319284Z DEBUG wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:07.319295Z DEBUG wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:07.319323Z DEBUG validate_settings{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:07.319326Z DEBUG validate_settings{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:07.319330Z DEBUG validate_settings{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:07.319331Z DEBUG validate_settings{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:07.319364Z INFO policy_server: policy timeout protection is enabled execution_limit_seconds=2 2024-07-29T14:57:07.319453Z INFO policy_server: CallbackHandler task status="init" 2024-07-29T14:57:13.094421Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}: tower_http::trace::on_request: started processing request 2024-07-29T14:57:13.094795Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group"}: policy_server::api::handlers: admission_review={"request":{"uid":"58cc1e64-a8ef-43b2-8757-d8155dabd3c0","kind":{"group":"apps","version":"v1","kind":"Deployment"},"resource":{"group":"apps","version":"v1","resource":"deployments"},"requestKind":{"group":"apps","version":"v1","kind":"Deployment"},"requestResource":{"group":"apps","version":"v1","resource":"deployments"},"name":"nginx-deployment","namespace":"default","operation":"CREATE","userInfo":{"groups":["system:masters","system:authenticated"],"username":"system:admin"},"object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"io.kubewarden.policy.echo.create":"true","kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"apps/v1\",\"kind\":\"Deployment\",\"metadata\":{\"annotations\":{\"io.kubewarden.policy.echo.create\":\"true\"},\"labels\":{\"app\":\"nginx\"},\"name\":\"nginx-deployment\",\"namespace\":\"default\"},\"spec\":{\"replicas\":1,\"selector\":{\"matchLabels\":{\"app\":\"template-nginx\"}},\"template\":{\"metadata\":{\"labels\":{\"app\":\"template-nginx\"}},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"nginx\",\"ports\":[{\"containerPort\":80}],\"securityContext\":{\"privileged\":true}}]}}}}\n"},"creationTimestamp":"2024-07-24T19:23:35Z","generation":1,"labels":{"app":"nginx"},"managedFields":[{"apiVersion":"apps/v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:io.kubewarden.policy.echo.create":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:progressDeadlineSeconds":{},"f:replicas":{},"f:revisionHistoryLimit":{},"f:selector":{},"f:strategy":{"f:rollingUpdate":{".":{},"f:maxSurge":{},"f:maxUnavailable":{}},"f:type":{}},"f:template":{"f:metadata":{"f:labels":{".":{},"f:app":{}}},"f:spec":{"f:containers":{"k:{\"name\":\"nginx\"}":{".":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:ports":{".":{},"k:{\"containerPort\":80,\"protocol\":\"TCP\"}":{".":{},"f:containerPort":{},"f:protocol":{}}},"f:resources":{},"f:securityContext":{".":{},"f:privileged":{}},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2024-07-24T19:23:35Z"}],"name":"nginx-deployment","namespace":"default","uid":"b64ba9f4-7b86-4d8f-baed-1a24c7d3bb60"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"template-nginx"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"template-nginx"}},"spec":{"containers":[{"image":"nginx:1.14.2","imagePullPolicy":"IfNotPresent","name":"nginx","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}},"status":{}},"dryRun":false,"options":{"apiVersion":"meta.k8s.io/v1","fieldManager":"kubectl-client-side-apply","fieldValidation":"Strict","kind":"CreateOptions"}}} 2024-07-29T14:57:13.094952Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}: policy_server::evaluation::evaluation_environment: validate individual policy policy_id=Policy("clusterwide-user-group") 2024-07-29T14:57:13.095249Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:13.095271Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:13.095500Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:13.095514Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:13.095964Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:13.095982Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::wapc::callback: invoking host_callback wapc_id=2 2024-07-29T14:57:13.096007Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::callback: Sending request via callback channel eval_ctx.policy_id="clusterwide-user-group" binding="kubewarden" operation="v1/oci_manifest_config" image="nginx:1.14.2" 2024-07-29T14:57:13.098164Z DEBUG policy_fetcher::registry: Couldn't fetch credentials. Using anonymous instead error=NoCredentialConfigured registry=docker.io 2024-07-29T14:57:13.098226Z DEBUG oci_distribution::client: Pulling image manifest from https://index.docker.io/v2/library/nginx/manifests/1.14.2 2024-07-29T14:57:13.098245Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/nginx key.operation=Pull miss=true 2024-07-29T14:57:13.098250Z DEBUG oci_distribution::client: Authorizing for image: Reference { registry: "docker.io", repository: "library/nginx", tag: Some("1.14.2"), digest: None } 2024-07-29T14:57:13.098256Z DEBUG oci_distribution::client: url="https://index.docker.io/v2/" 2024-07-29T14:57:13.098283Z DEBUG reqwest::connect: starting new connection: https://index.docker.io/ 2024-07-29T14:57:13.961169Z DEBUG oci_distribution::client: Making authentication call realm="https://auth.docker.io/token" service=Some("registry.docker.io") scope="repository:library/nginx:pull" 2024-07-29T14:57:13.961304Z DEBUG reqwest::connect: starting new connection: https://auth.docker.io/ 2024-07-29T14:57:14.784328Z DEBUG oci_distribution::client: Received response from auth request: {"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFRmpDQ0F2NmdBd0lCQWdJVVZOajJRbU1JWnUzeGl0NUJ1RTlvRWdoVU5KUXdEUVlKS29aSWh2Y05BUUVMQlFBd2dZWXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSEV3bFFZV3h2SUVGc2RHOHhGVEFUQmdOVkJBb1RERVJ2WTJ0bGNpd2dTVzVqTGpFVU1CSUdBMVVFQ3hNTFJXNW5hVzVsWlhKcGJtY3hJVEFmQmdOVkJBTVRHRVJ2WTJ0bGNpd2dTVzVqTGlCRmJtY2dVbTl2ZENCRFFUQWVGdzB5TkRBeE1UWXdOak0yTURCYUZ3MHlOVEF4TVRVd05qTTJNREJhTUlHRk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnhNSlVHRnNieUJCYkhSdk1SVXdFd1lEVlFRS0V3eEViMk5yWlhJc0lFbHVZeTR4RkRBU0JnTlZCQXNUQzBWdVoybHVaV1Z5YVc1bk1TQXdIZ1lEVlFRREV4ZEViMk5yWlhJc0lFbHVZeTRnUlc1bklFcFhWQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWI4eHR6ZDQ1UWdYekV0bWMxUEJsdWNGUnlzSUF4UUJCN3lSNjdJemdMd05IS24rbUdKTzV5alh6amtLZm5zWm1JRURnZFlraEpBbGNYYTdQa1BFaCtqcTRGNWNaaWtkTmFUQmM3alNkTFJzTVlVa3dwWTl4WUVqYitCYnVGUWVxa0R2RXNqbFJJTzRQK0FsRlhNMDhMYlpIZ3hFWUdkbFk3WFlhT1BLMmE1aUd2eVFRb09GVmZjZDd2ekhaREVBMHZqVmU1M0xLdjVMYmh6TzcxZHRxS0RwNEhnVWR5N1pENDFNN3I1bTd5eE1LeFNpQmJHZTFvem5Wamh1ck5GNHdGSml5bVU4YkhTV2tVTXVLQ3JTbEd4d1NCZFVZNDRyaEh2UW5zYmgzUFF2TUZTWTQ4REdoNFhUUldjSzFWUVlSTnA2ZWFXUVg1RUpJSXVJbjJQOVBzQ0F3RUFBYU43TUhrd0RnWURWUjBQQVFIL0JBUURBZ0dtTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSnVRYXZTZHVScm5kRXhLTTAwV2Z2czh5T0RaTUI4R0ExVWRJd1FZTUJhQUZGSGVwRE9ZQ0Y5Qnc5dXNsY0RVUW5CalU3MS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDWW0xUVorUUZ1RVhkSWpiNkg4bXNyVFBRSlNnR0JpWDFXSC9QRnpqZlJGeHc3dTdDazBRb0FXZVNqV3JWQWtlVlZQN3J2REpwZ0ZoeUljdzNzMXRPVjN0OGp3cXJTUmc2R285dUd2OG9IWUlLTm9YaDErUFVDTG44b0JwYUJsOUxzSWtsL2FHMG9lY0hrcDVLYmtBNjN6eTFxSUVXNFAzWVJLSk9hSGoxYWFiOXJLc3lRSHF6SUl4TnlDRVVINTMwU1B4RUNMbE53YWVKTDVmNXIxUW5wSi9GM3Q5Vk8xZ0Y2RFpiNitPczdTV29ocGhWZlRCOERkL1VjSk1VOGp2YlF3MWRVREkwelNEdXo2aHNJbGdITk0yak04M0lOS1VqNjNaRDMwRG15ejQvczFFdGgyQmlKK2RHdnFpQkRzaWhaR0tyQnJzUzhWVkRBd3hDeDVRMyJdfQ.eyJhY2Nlc3MiOlt7ImFjdGlvbnMiOlsicHVsbCJdLCJuYW1lIjoibGlicmFyeS9uZ2lueCIsInBhcmFtZXRlcnMiOnsicHVsbF9saW1pdCI6IjEwMCIsInB1bGxfbGltaXRfaW50ZXJ2YWwiOiIyMTYwMCJ9LCJ0eXBlIjoicmVwb3NpdG9yeSJ9XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNzIyMjY1MzcxLCJpYXQiOjE3MjIyNjUwNzEsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiZGNrcl9qdGlfdmt6c3NMVkhjODc3eEd2d1NlTkdwRXNKQ184PSIsIm5iZiI6MTcyMjI2NDc3MSwic3ViIjoiIn0.ZgXOIoMCtyXEeWjx3a-DyX94UcIIeUiuJeBWEUgzHo2w3mEQ8CVg38WIkkP4c_vz_6SOBjBTvolrjyatYzx5xTzMbxbWizyCcKCOY2sfYDnoOxz6R_gZ3Ue9kfTBNGVBTOAdY7VRgwOal7duaK2fLp6yYPzfLxDttMP_MrsMD2T-LI6GY1O57iYUhW5nG46XFrye2wDIMyAFiwXdBl1OJHHtgPS0HfATQ7LE30HokegPdEGLkjnagpepEaoBnnPuhkweP-EtIZU6HvMKEZIBrK2q2u4rYtAmYKRTdjjkWHQLM3AFum7zBkpO-iP5sL6eM_8BfLITVR1o5pWFr0ehDw","access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFRmpDQ0F2NmdBd0lCQWdJVVZOajJRbU1JWnUzeGl0NUJ1RTlvRWdoVU5KUXdEUVlKS29aSWh2Y05BUUVMQlFBd2dZWXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJRXdwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSEV3bFFZV3h2SUVGc2RHOHhGVEFUQmdOVkJBb1RERVJ2WTJ0bGNpd2dTVzVqTGpFVU1CSUdBMVVFQ3hNTFJXNW5hVzVsWlhKcGJtY3hJVEFmQmdOVkJBTVRHRVJ2WTJ0bGNpd2dTVzVqTGlCRmJtY2dVbTl2ZENCRFFUQWVGdzB5TkRBeE1UWXdOak0yTURCYUZ3MHlOVEF4TVRVd05qTTJNREJhTUlHRk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnhNSlVHRnNieUJCYkhSdk1SVXdFd1lEVlFRS0V3eEViMk5yWlhJc0lFbHVZeTR4RkRBU0JnTlZCQXNUQzBWdVoybHVaV1Z5YVc1bk1TQXdIZ1lEVlFRREV4ZEViMk5yWlhJc0lFbHVZeTRnUlc1bklFcFhWQ0JEUVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWI4eHR6ZDQ1UWdYekV0bWMxUEJsdWNGUnlzSUF4UUJCN3lSNjdJemdMd05IS24rbUdKTzV5alh6amtLZm5zWm1JRURnZFlraEpBbGNYYTdQa1BFaCtqcTRGNWNaaWtkTmFUQmM3alNkTFJzTVlVa3dwWTl4WUVqYitCYnVGUWVxa0R2RXNqbFJJTzRQK0FsRlhNMDhMYlpIZ3hFWUdkbFk3WFlhT1BLMmE1aUd2eVFRb09GVmZjZDd2ekhaREVBMHZqVmU1M0xLdjVMYmh6TzcxZHRxS0RwNEhnVWR5N1pENDFNN3I1bTd5eE1LeFNpQmJHZTFvem5Wamh1ck5GNHdGSml5bVU4YkhTV2tVTXVLQ3JTbEd4d1NCZFVZNDRyaEh2UW5zYmgzUFF2TUZTWTQ4REdoNFhUUldjSzFWUVlSTnA2ZWFXUVg1RUpJSXVJbjJQOVBzQ0F3RUFBYU43TUhrd0RnWURWUjBQQVFIL0JBUURBZ0dtTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQk1CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSnVRYXZTZHVScm5kRXhLTTAwV2Z2czh5T0RaTUI4R0ExVWRJd1FZTUJhQUZGSGVwRE9ZQ0Y5Qnc5dXNsY0RVUW5CalU3MS9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNDWW0xUVorUUZ1RVhkSWpiNkg4bXNyVFBRSlNnR0JpWDFXSC9QRnpqZlJGeHc3dTdDazBRb0FXZVNqV3JWQWtlVlZQN3J2REpwZ0ZoeUljdzNzMXRPVjN0OGp3cXJTUmc2R285dUd2OG9IWUlLTm9YaDErUFVDTG44b0JwYUJsOUxzSWtsL2FHMG9lY0hrcDVLYmtBNjN6eTFxSUVXNFAzWVJLSk9hSGoxYWFiOXJLc3lRSHF6SUl4TnlDRVVINTMwU1B4RUNMbE53YWVKTDVmNXIxUW5wSi9GM3Q5Vk8xZ0Y2RFpiNitPczdTV29ocGhWZlRCOERkL1VjSk1VOGp2YlF3MWRVREkwelNEdXo2aHNJbGdITk0yak04M0lOS1VqNjNaRDMwRG15ejQvczFFdGgyQmlKK2RHdnFpQkRzaWhaR0tyQnJzUzhWVkRBd3hDeDVRMyJdfQ.eyJhY2Nlc3MiOlt7ImFjdGlvbnMiOlsicHVsbCJdLCJuYW1lIjoibGlicmFyeS9uZ2lueCIsInBhcmFtZXRlcnMiOnsicHVsbF9saW1pdCI6IjEwMCIsInB1bGxfbGltaXRfaW50ZXJ2YWwiOiIyMTYwMCJ9LCJ0eXBlIjoicmVwb3NpdG9yeSJ9XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNzIyMjY1MzcxLCJpYXQiOjE3MjIyNjUwNzEsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiZGNrcl9qdGlfdmt6c3NMVkhjODc3eEd2d1NlTkdwRXNKQ184PSIsIm5iZiI6MTcyMjI2NDc3MSwic3ViIjoiIn0.ZgXOIoMCtyXEeWjx3a-DyX94UcIIeUiuJeBWEUgzHo2w3mEQ8CVg38WIkkP4c_vz_6SOBjBTvolrjyatYzx5xTzMbxbWizyCcKCOY2sfYDnoOxz6R_gZ3Ue9kfTBNGVBTOAdY7VRgwOal7duaK2fLp6yYPzfLxDttMP_MrsMD2T-LI6GY1O57iYUhW5nG46XFrye2wDIMyAFiwXdBl1OJHHtgPS0HfATQ7LE30HokegPdEGLkjnagpepEaoBnnPuhkweP-EtIZU6HvMKEZIBrK2q2u4rYtAmYKRTdjjkWHQLM3AFum7zBkpO-iP5sL6eM_8BfLITVR1o5pWFr0ehDw","expires_in":300,"issued_at":"2024-07-29T14:57:51.068061633Z"} 2024-07-29T14:57:14.784395Z DEBUG oci_distribution::client: Successfully authorized for image 'Reference { registry: "docker.io", repository: "library/nginx", tag: Some("1.14.2"), digest: None }' 2024-07-29T14:57:14.784488Z DEBUG oci_distribution::token_cache: Inserting token registry=index.docker.io repository=library/nginx op=Pull expiration=1722265371 2024-07-29T14:57:14.784503Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:57:14.988961Z DEBUG oci_distribution::client: validating manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:17a1998407746106c307c58c5089569bc1d0728567657b8c19ccffd0497c91ba", "platform": { "architecture": "arm", "os": "linux", "variant": "v7" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:d58b3e481b8588c080b42e5d7427f2c2061decbf9194f06e2adce641822e282a", "platform": { "architecture": "arm64", "os": "linux", "variant": "v8" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:de4556bb2971a581b6ce23bcbfd3dbef6ee1640839d2c88b3e846a4e101f363c", "platform": { "architecture": "386", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:750c35f5051eebd0d1a2faa08a29d3eabd330c8cf0350b57353d205a99c47176", "platform": { "architecture": "ppc64le", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:e76ff864168bca4ef1a53cfaf5fb4981cdb2810385b4b4edc19fd94a5d04eb38", "platform": { "architecture": "s390x", "os": "linux" } } ] } 2024-07-29T14:57:14.989038Z DEBUG oci_distribution::client: Parsing response as Manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:17a1998407746106c307c58c5089569bc1d0728567657b8c19ccffd0497c91ba", "platform": { "architecture": "arm", "os": "linux", "variant": "v7" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:d58b3e481b8588c080b42e5d7427f2c2061decbf9194f06e2adce641822e282a", "platform": { "architecture": "arm64", "os": "linux", "variant": "v8" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:de4556bb2971a581b6ce23bcbfd3dbef6ee1640839d2c88b3e846a4e101f363c", "platform": { "architecture": "386", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:750c35f5051eebd0d1a2faa08a29d3eabd330c8cf0350b57353d205a99c47176", "platform": { "architecture": "ppc64le", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 948, "digest": "sha256:e76ff864168bca4ef1a53cfaf5fb4981cdb2810385b4b4edc19fd94a5d04eb38", "platform": { "architecture": "s390x", "os": "linux" } } ] } 2024-07-29T14:57:14.989103Z DEBUG oci_distribution::client: Inspecting Image Index Manifest 2024-07-29T14:57:14.989124Z DEBUG oci_distribution::client: Selected manifest entry with digest: sha256:706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078 2024-07-29T14:57:14.989135Z DEBUG oci_distribution::client: Pulling image manifest from https://index.docker.io/v2/library/nginx/manifests/sha256:706446e9c6667c0880d5da3f39c09a6c7d2114f5a5d6b74a2fafd24ae30d2078 2024-07-29T14:57:14.989193Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/nginx key.operation=Pull expiration=1722265371 miss=false expired=false 2024-07-29T14:57:14.989211Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:57:15.177367Z DEBUG oci_distribution::client: validating manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 6003, "digest": "sha256:295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 22496048, "digest": "sha256:27833a3ba0a545deda33bb01eaf95a14d05d43bf30bce9267d92d17f069fe897" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 22204973, "digest": "sha256:0f23e58bd0b7c74311703e20c21c690a6847e62240ed456f8821f4c067d3659b" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 203, "digest": "sha256:8ca774778e858d3f97d9ec1bec1de879ac5e10096856dc22ed325a3ad944f78a" } ] } 2024-07-29T14:57:15.177404Z DEBUG oci_distribution::client: Parsing response as Manifest: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 6003, "digest": "sha256:295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 22496048, "digest": "sha256:27833a3ba0a545deda33bb01eaf95a14d05d43bf30bce9267d92d17f069fe897" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 22204973, "digest": "sha256:0f23e58bd0b7c74311703e20c21c690a6847e62240ed456f8821f4c067d3659b" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 203, "digest": "sha256:8ca774778e858d3f97d9ec1bec1de879ac5e10096856dc22ed325a3ad944f78a" } ] } 2024-07-29T14:57:15.177433Z DEBUG oci_distribution::client: Pulling config layer 2024-07-29T14:57:15.177476Z DEBUG oci_distribution::token_cache: Fetching token key.registry=index.docker.io key.repository=library/nginx key.operation=Pull expiration=1722265371 miss=false expired=false 2024-07-29T14:57:15.177488Z DEBUG oci_distribution::client: Using bearer token authentication. 2024-07-29T14:57:15.335888Z DEBUG reqwest::async_impl::client: redirecting 'https://index.docker.io/v2/library/nginx/blobs/sha256:295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369' to 'https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/29/295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369/data?verify=1722268071-Y3X2fu1BLS9D37Tf2LmGMxycIGU%3D' 2024-07-29T14:57:15.335989Z DEBUG reqwest::connect: starting new connection: https://production.cloudflare.docker.com/ 2024-07-29T14:57:15.762915Z DEBUG policy_evaluator::callback_handler: Image manifest computed value="nginx:1.14.2" cached=false 2024-07-29T14:57:15.763257Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:15.763321Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:15.763366Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:15.763472Z ERROR request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime_provider: Failure invoking guest module handler: error while executing at wasm backtrace: 0: 0x174348 - user_group_psp.wasm!__rust_alloc 1: 0x159fe9 - user_group_psp.wasm!wapc_guest::protocol::host_call::hd7c0336615a6a914 2: 0xec82c - user_group_psp.wasm!kubewarden_policy_sdk::host_capabilities::oci::get_manifest_and_config::h803fae37c19f4dec 3: 0x4ded9 - user_group_psp.wasm!user_group_psp::enforce_container_security_policies::h4214b9038ed52ddd 4: 0x246fa - user_group_psp.wasm!user_group_psp::validate::h1b0f7d0e060e55cd 5: 0xbb0db - user_group_psp.wasm!__guest_call 6: 0x1755cc - user_group_psp.wasm!__guest_call.command_export Caused by: wasm trap: interrupt 2024-07-29T14:57:15.763641Z ERROR request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::wapc::runtime: waPC communication error error="Guest call failure: guest code interrupted, execution deadline exceeded" 2024-07-29T14:57:15.764035Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Entering GC root set LIFO scope: 0 2024-07-29T14:57:15.764071Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: wasmtime::runtime::gc::enabled::rooting: Exiting GC root set LIFO scope: 0 2024-07-29T14:57:15.764261Z INFO request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}:validate{self=PolicyEvaluator { runtime: "wapc" } settings={"validate_container_image_configuration": Bool(true)}}: policy_evaluator::runtimes::wapc::runtime: wapc_host reset performed after timeout protection was triggered 2024-07-29T14:57:15.764902Z DEBUG request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}:validation{host="localhost.localdomain" policy_id="clusterwide-user-group" kind="Deployment" kind_group="apps" kind_version="v1" name="nginx-deployment" namespace="default" operation="CREATE" request_uid="58cc1e64-a8ef-43b2-8757-d8155dabd3c0" resource="deployments" resource_group="apps" resource_version="v1" subresource=""}: policy_server::api::handlers: policy evaluated response=AdmissionResponse { uid: "58cc1e64-a8ef-43b2-8757-d8155dabd3c0", allowed: false, patch_type: None, patch: None, status: Some(AdmissionResponseStatus { message: Some("internal server error: Guest call failure: guest code interrupted, execution deadline exceeded"), code: Some(500) }), audit_annotations: None, warnings: None } 2024-07-29T14:57:15.765027Z INFO request{method=POST uri=/validate/clusterwide-user-group version=HTTP/1.1}: tower_http::trace::on_response: finished processing request latency=2670 ms status=200 ```

If I increase the --policy-timeout to 4 the issue does not happens anymore in my local environment. It looks like that network requests are consuming a lot of time.

[jvanz]

As this is not an issue in the policy itself and we documented this behavior in the policy README file. I consider this issue fixed. I'm closing it now.