I configured a "static" authorities but nothing help, is there anything wrong?

Question

I configured a "static" authorities but nothing help, is there anything wrong?

yxxchange opened this issue a year ago · comments

Question

The relevant YAML configuration that I have set up is shown below.
CIP yaml:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
    - glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test:**"
  authorities:
    - static:
        action: pass

deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sigstore-test-deployment
  namespace: sigstore-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sigstore-test
  template:
    metadata:
      labels:
        app: sigstore-test
    spec:
      containers:
      - name: sigstore-test-01
        image: registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test:v0.1
        imagePullPolicy: Always
        ports:
        - containerPort: 80

But I can't apply the deployment.yaml, The webhook prevented this action. Error is the following:

Error from server (BadRequest): error when creating "deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: no matching policies: spec.template.spec.containers[0].image
registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136

How to solve this problem.

Hector Fernandez · Answer 1 · Mon Jul 10 2023 16:35:49 GMT+0800 (China Standard Time)

@ElonMuskkkkkk Try using glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test**" instead.

fckc · Answer 2 · Mon Jul 10 2023 16:57:22 GMT+0800 (China Standard Time)

@ElonMuskkkkkk Try using glob: "registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test**" instead.

Based on my recent test, it seems that the image field in the CIP YAML can only be specified to a particular image but not to the image version. When I don't use a wildcard match and write the full image name and version together, it still fails. It's only when I remove the image version that I can use it properly.

Hector Fernandez · Answer 3 · Mon Jul 10 2023 18:09:58 GMT+0800 (China Standard Time)

@ElonMuskkkkkk If you specify the tag that won't match the final mutated image tag which is registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136. You could use registry.cn-hangzhou.aliyuncs.com/fckc/sigstore-test@sha256:a094484855793fcb7ba16ad83816ca0fdfdf97f532a9a076b5b62fe6eda26136 as part of the glob pattern if you really want to match a specific image digest. Or you could use image digests that include the image version.