Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign
Other
122
stars
53
forks
source link
Harbor failing on deployment because of image tag not converted to digest #1520
I'm have policy controller that install in the cluster, and trying to deploy harbor pod while the CIP mod is set to be warn, please see the below error:
/usr/local/bin/helm install --create-namespace -n ncms harbor1 /opt/bcmt/storage/charts/harbor-2.10.4-ncs24.11.0-1.tgz --set hregistry.credentials.username=harbor_registry_user --set hregistry.credentials.password=ZzBudG5zZXZDYXgtdnA= --set redis.internal.password=Z3EyX2ppeHNjenlSdnA= --set database.internal.password=Z3BNdG1kbS00Z2F0ZHA= --set externalURL=https://harbor-harbor-core.ncms.svc/ --set
global.timeZoneEnv=UTC -f /opt/bcmt/config/bcmt-harbor/overwrite-values-install.yml -f /opt/bcmt/config/bcmt-harbor/overwrite-values.yml
W0628 07:10:56.255001 396738 warnings.go:70] annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
Error: INSTALLATION FAILED: 8 errors occurred:
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-core:2.10.2-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[1].image
invalid value: bcmt-registry:5000/citm/citm-nginx-server:1.24.0-1.4.3-1.0.1-rocky8 must be an image digest: spec.template.spec.containers[0].image, spec.template.spec.initContainers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-core:2.10.2-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image, spec.template.spec.initContainers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[0].image
invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[0].image
invalid value: bcmt-registry:5000/crdb/crdb-redisio:6.1-2.4742-rocky8 must be an image digest: spec.template.spec.containers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image
admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image
However running cosign verify command against the failing the above images it's working perfect and i see the image is signed.
I'm have policy controller that install in the cluster, and trying to deploy harbor pod while the CIP mod is set to be warn, please see the below error: /usr/local/bin/helm install --create-namespace -n ncms harbor1 /opt/bcmt/storage/charts/harbor-2.10.4-ncs24.11.0-1.tgz --set hregistry.credentials.username=harbor_registry_user --set hregistry.credentials.password=ZzBudG5zZXZDYXgtdnA= --set redis.internal.password=Z3EyX2ppeHNjenlSdnA= --set database.internal.password=Z3BNdG1kbS00Z2F0ZHA= --set externalURL=https://harbor-harbor-core.ncms.svc/ --set global.timeZoneEnv=UTC -f /opt/bcmt/config/bcmt-harbor/overwrite-values-install.yml -f /opt/bcmt/config/bcmt-harbor/overwrite-values.yml W0628 07:10:56.255001 396738 warnings.go:70] annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead Error: INSTALLATION FAILED: 8 errors occurred:
However running cosign verify command against the failing the above images it's working perfect and i see the image is signed.