kritis-vul-signer image rpc error: code = InvalidArgument

Question

kritis-vul-signer image rpc error: code = InvalidArgument

baldeynz opened this issue 5 years ago · 1 comments

Expected Behavior

Using gcr.io/kritis-test1/kritis-vuln-signer:4a36a68bbd160f59f539c23051d0c8559de7baa1 works without error

Actual Behavior

Links to the relevant code, snippets
Running the kritis-vul-signer image produces errors:
Yaml used to deploy pod

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kritis-vuln-signer
  labels:
    app: kritis-vuln-signer
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kritis-vuln-signer
  template:
    metadata:
      labels:
        app: kritis-vuln-signer
    spec:
      containers:
      - name: kritis-vuln-signer
        image: gcr.io/kritis-test1/kritis-vuln-signer:4a36a68bbd160f59f539c23051d0c8559de7baa1
        imagePullPolicy: Always
        args: ["--gcr_project=my-sandbox", "--logtostderr"]
        volumeMounts:
        - name: service-account
          mountPath: /secret
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /secret/kritis.json
        - name: SIGNER_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
      volumes:
        - name: service-account
          secret:
            secretName: kritis

errors produced (which continually repeat):

I0129 00:43:25.962917       1 main.go:67] {"name":"projects/my-sandbox/occurrences/b66a896f-92e5-4f3d-9376-7965e3183c76","kind":"DISCOVERY","notificationTime":"2020-01-29T00:40:47.976975Z"}
E0129 00:43:25.963388       1 main.go:56] Error signing: rpc error: code = InvalidArgument desc = occurrence name must be in the form "projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]", got ""
E0129 00:43:25.964673       1 main.go:56] Error signing: rpc error: code = InvalidArgument desc = occurrence name must be in the form "projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]", got ""
E0129 00:43:25.965094       1 main.go:56] Error signing: rpc error: code = InvalidArgument desc = occurrence name must be in the form "projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]", got ""
I0129 00:43:25.966678       1 main.go:67] {"name":"projects/my-sandbox/occurrences/172e517b-e743-446b-b2d7-12f13131b417","kind":"DISCOVERY","notificationTime":"2020-01-29T00:41:02.083948Z"}

Steps to Reproduce the Problem

Environment, commands

follow https://cloud.google.com/binary-authorization/docs/vulnerability-scanning up installing the kritis signer part
follow the kritis doc https://cloud.google.com/binary-authorization/docs/vulnerability-scanning & https://github.com/grafeas/kritis/blob/master/docs/signer_install.md but use the kritis-vuln-signer instead of kritis-gcb-signer

Additional info

Add any other context about the problem here (e.g. screenshots, links)

Im trying to follow these guides https://cloud.google.com/binary-authorization/docs/vulnerability-scanning & https://github.com/grafeas/kritis/blob/master/docs/signer_install.md to create an image security policy that does not allow high security vulnerability images to be deployed to a GKE cluster (v1.14.8-gke.18) with Binary Auth enabled.

I Originally posted this to the Kritis users google group and it was suggested there that i create an issue for this.

Answer 1 · 2020-01-29T18:08:00.000Z

Thanks for reporting @baldeynz . I'll look into it.