Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not use image url to get registry auth data. #180

Merged
merged 1 commit into from
Apr 11, 2024
Merged

fix: do not use image url to get registry auth data. #180

merged 1 commit into from
Apr 11, 2024

Conversation

jvanz
Copy link
Member

@jvanz jvanz commented Apr 11, 2024

Description

Updates the function used to verify container image signature to use only the registry name to get the auth data from docker config.json file. The current implementation uses the whole container image URL. Which failed to find the relevant auth data falling back to a anonymous authentication. This is a problem with private registries where access credentials must be used.

To fix this problem, this commit extract the registry name from the container image URL and use it to get the auth data from the config.json file.

Fix kubewarden/policy-server#912

Test

To test this pull request, you can build kwctl using this changes, execute a docker login in the private registry

  1. Generate private/public key pair with cosign
  2. Sign docker image
  3. Submit signed image to private harbor registry. You can use demo.goharbor.io
  4. Create robot account in the harbor instance
  5. Login into the private registry using the robot account: docker login ...
  6. Build kwctl using this change
  7. kwctl run --settings-path settings.yaml --request-path pod_creation_signed.json registry://ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8

settings.yaml

signatures:
  - image: "PUT YOUR SIGNED CONTAINER IMAGE PREFIX HERE e.g: demo.goharbor.io/testing/*"  
    pubKeys:
      - |
        -----BEGIN PUBLIC KEY-----
       << YOUR COSIGN PUBLIC KEY >>>
        -----END PUBLIC KEY-----

pod_creation_signed.json

{
  "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
  "kind": {
    "group": "",
    "kind": "Pod",
    "version": "v1"
  },
  "resource": {
    "group": "",
    "version": "v1",
    "resource": "pods"
  },
  "object": {
    "metadata": {
      "name": "nginx"
    },
    "spec": {
      "containers": [
        {
          "image": "PUT YOUR SIGNED CONTAINER IMAGE HERE",
          "name": "test-verify-image-signatures"
        }
      ]
    }
  },
  "operation": "CREATE",
  "requestKind": {
    "group": "",
    "version": "v1",
    "kind": "Pod"
  },
  "userInfo": {
    "username": "alice",
    "uid": "alice-uid",
    "groups": [
      "system:authenticated"
    ]
  }
}

@jvanz
fix: do not use image url to get registry auth data.
b1ebe98 
Updates the function used to verify container image signature to use
only the registry name to get the auth data from docker config.json
file. The current implementation uses the whole container image URL.
Which failed to find the relevant auth data falling back to a anonymous
authentication. This is a problem with private registries where access
credentials must be used.

To fix this problem, this commit extract the registry name from the
container image URL and use it to get the auth data from the config.json
file.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
@jvanz jvanz requested a review from a team as a code owner April 11, 2024 02:51
@codecov Codecov
Copy link

codecov bot commented Apr 11, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 41.29%. Comparing base (1075c0e) to head (b1ebe98).

Files Patch % Lines
src/verify/mod.rs 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     kubewarden/policy-fetcher#180      +/-   ##
==========================================
- Coverage   41.35%   41.29%   -0.06%     
==========================================
  Files          12       12              
  Lines         723      724       +1     
==========================================
  Hits          299      299              
- Misses        424      425       +1
Flag Coverage Δ
integration-tests 13.25% <0.00%> (-0.02%) ⬇️
unit-tests 33.83% <0.00%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@flavio
Copy link
Member

flavio commented Apr 11, 2024

The change looks good to me, step number 7 is wrong though, because you're pulling the policy from the ghcr, not from a private registry.

It would also be great to extend kwctl e2e tests to cover operations done against a private registry. We don't need to start a fancy registry like harbor. This can be done with a vanilla docker-distribution (aka docker registry) configured with some env variable.
You can see how this is done here, inside of the unit tests of oci-distribution.

viccuad
viccuad approved these changes Apr 11, 2024
View reviewed changes
Copy link
Member

@viccuad viccuad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I would also like to have a test for it.

@fabriziosestito
Copy link
Contributor

The change looks good to me, step number 7 is wrong though, because you're pulling the policy from the ghcr, not from a private registry.

It would also be great to extend kwctl e2e tests to cover operations done against a private registry. We don't need to start a fancy registry like harbor. This can be done with a vanilla docker-distribution (aka docker registry) configured with some env variable. You can see how this is done here, inside of the unit tests of oci-distribution.

@flavio @jvanz we already use this in pattern in kwctl e2e tests, see https://github.com/kubewarden/kwctl/blob/1de2f0a7db81e38d4bb5a42cbea059805626b558/tests/e2e.rs#L330

@jvanz
Copy link
Member Author

jvanz commented Apr 11, 2024

The change looks good to me, step number 7 is wrong though, because you're pulling the policy from the ghcr, not from a private registry.

It's not wrong. The policy does not need to be in the private registry. We are verifying the container image from the admission request, pod_creation_signed.json in this example

@jvanz jvanz self-assigned this Apr 11, 2024
@jvanz jvanz added the kind/bug label Apr 11, 2024
@jvanz jvanz added this to the 1.12 milestone Apr 11, 2024
@jvanz jvanz merged commit f17c59c into kubewarden:main Apr 11, 2024
8 of 10 checks passed
@jvanz jvanz mentioned this pull request Apr 12, 2024
Closed
@jvanz jvanz deleted the issue179 branch April 12, 2024 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viccuad viccuad viccuad approved these changes

@flavio flavio flavio approved these changes

Assignees

@jvanz jvanz

Labels
kind/bug
Projects
None yet
Milestone
1.12
Development

Successfully merging this pull request may close these issues.

Unable to fetch manifests from private harbor registry
4 participants
@jvanz @flavio @fabriziosestito @viccuad