A pod with an unsigned image can't be deleted
dzanto opened this issue · 0 comments
dzanto commented
Describe the bug
When update deployment from one image to other, connoisseur validate new image and then validate old image. And if old image doesn't have signature in repo, old ReplicaSet stuck with old running pod.
Expected behavior
Pod without signature must be removed without validation.
Versions:
- Kubernetes Cluster: RKE v1.24.8
- Container registry: Nexus 3.58.1
- Connaisseur: 3.0.0
- ArgoCD: v2.6.7
Additional:
kubectl get replicaset -n test -owide | grep my-app
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES
my-app-8646d49c66 1 1 1 8m55s my-app my-docker.nexus.int.my-dev.ru/my-app:3.0.5@sha256:...3e45
my-app-ffb5fbf98 1 1 1 60m my-app my-docker.nexus.int.my-dev.ru/my-app:3.0.6@sha256:...0703
logs:
In logs a version update from 3.0.5 to 3.0.6
"COSIGN output of trust root 'my-docker' for image'my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703': RETURNCODE: 0; STDOUT: {\"critical\":{\"identity\":{\"docker-reference\":\"my-docker.nexus.int.my-dev.ru/myapp\"},\"image\":{\"docker-manifest-digest\":\"sha256:...703\"},\"type\":\"cosign container image signature\"},\"optional\":null}\n; STDERR: \nVerification for my-docker.nexus.int.my-dev.ru/myapp@sha256:...703 --\nThe following checks were performed on each of these signatures:\n - The cosign claims were validated\n - Existence of the claims in the transparency log was verified offline\n - The signatures were verified against the specified public key\n"
"successful verification of image \"my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703\"", "admission_review": {"user": "u-gwg2v2oh7l", "operation": "UPDATE", "kind": "Deployment", "name": "myapp", "namespace": "test"}, "image": "my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703"
"automatic child approval for \"my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703\".", "admission_review": {"user": "system:serviceaccount:kube-system:deployment-controller", "operation": "CREATE", "kind": "ReplicaSet", "name": "myapp-65bcdfd7bd", "namespace": "test"}, "image": "my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703"
"automatic child approval for \"my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703\".", "admission_review": {"user": "system:serviceaccount:kube-system:deployment-controller", "operation": "UPDATE", "kind": "ReplicaSet", "name": "myapp-86997f749c", "namespace": "test"}, "image": "my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703"
"automatic child approval for \"my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703\".", "admission_review": {"user": "system:serviceaccount:kube-system:deployment-controller", "operation": "UPDATE", "kind": "ReplicaSet", "name": "myapp-65bcdfd7bd", "namespace": "test"}, "image": "my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703"
"automatic child approval for \"my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703\".", "admission_review": {"user": "system:serviceaccount:kube-system:replicaset-controller", "operation": "CREATE", "kind": "Pod", "name": "myapp-65bcdfd7bd-", "namespace": "test"}, "image": "my-docker.nexus.int.my-dev.ru/myapp:3.0.6@sha256:...703"
"COSIGN output of trust root 'my-docker' for image'my-docker.nexus.int.my-dev.ru/myapp:3.0.5@sha256:...e45': RETURNCODE: 12; STDOUT: ; STDERR: Error: no matching signatures:\n\nmain.go:69: error during command execution: no matching signatures:\n"
"{'message': 'No trust data for image \"my-docker.nexus.int.my-dev.ru/myapp:3.0.5@sha256:...e45\".', 'context': {'trust_data_type': 'dev.cosignproject.cosign/signature', 'stderr': 'Error: no matching signatures:\\n\\nmain.go:69: error during command execution: no matching signatures:\\n', 'image': 'my-docker.nexus.int.my-dev.ru/myapp:3.0.5@sha256:...e45', 'trust_root': 'my-docker', 'detection_mode': False}}"