Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-4206

Cosigned pod seems not to work in OSC 1.10.2

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • None
    • OSC 1.10.3
    • None
    • None
    • Blanc #4
    • 0

      Description

      I am trying the cosigned pod (pod image signature verification).

      I tried various policies, like

      {   "default": [\{"type": "reject"}

      ],
        "transports": {}
      }

      which should forbid any pod, but I can still manage to run any pod, wether it's unsigned or not.

      Steps to reproduce

      1. Install trustee (https, insecure_admin=false, insecure_key=false)
      2. Set up security policy as above
      3. Install CoCo and try to run any unsigned pod

      Expected result

      Pod should not run

      Actual result

      Pod actually runs and it's able to do attestation

      Impact

      Signed policy feature seems to not enforce a thing

      Env

      OSC 1.10.2, default kata components, everything default. Trustee 0.4.1

              wmoschet Wainer Moschetta
              eesposit@redhat.com Emanuele Giuseppe Esposito
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: