Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54164

Enabling TechPreviewNoUpgrade Causes Image Pull Failures Due to Cryptographic Signature Verification

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • OCP Node Sprint 269 (Blue)
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      After enabling TechPreviewNoUpgrade in featuregate/cluster, a clusterimagepolicy object named openshift is automatically created. This policy enforces signature verification for images under quay.io/openshift-release-dev/ocp-release. Some images under quay.io/openshift-release-dev/ocp-release fail verification, leading to pod failures when OpenShift components attempt to pull them.



Warning  Failed   kubelet  Failed to pull image "quay.io/openshift-release-dev/ocp-release@sha256:d703e6615b85a6f94fb3f3e490f2eb4514412bc018ecfe967f57f4221116a718":  
Source image rejected: cryptographic signature verification failed: crypto/rsa: verification error



This issue may affect multiple images, potentially breaking cluster functionality if OpenShift-managed pods cannot roll out or retrieve required images.

      Version-Release number of selected component (if applicable):

      4.18

      How reproducible:

          100%

      Steps to Reproduce:

      1. Enable TechPreviewNoUpgrade in the featuregate/cluster:

spec:
  featureSet: TechPreviewNoUpgrade

2. Verify that a clusterimagepolicy object named openshift is automatically created:

$ oc get clusterimagepolicy openshift -o yaml

spec:
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0K...
  scopes:
  - quay.io/openshift-release-dev/ocp-release

3. Create a deployment using a release image:

$ oc create deployment version --image=quay.io/openshift-release-dev/ocp-release@sha256:d703e6615b85a6f94fb3f3e490f2eb4514412bc018ecfe967f57f4221116a718


4. Observe that the pod fails to pull the image with cryptographic verification errors:

Warning  Failed   pod/version-xxx  Failed to pull image: Source image rejected: cryptographic signature verification failed: crypto/rsa: verification error
Warning  Failed   pod/version-xxx  Error: ErrImagePull
Warning  Failed   pod/version-xxx  Error: ImagePullBackOff

       

      Actual results:

      Image pull requests fail due to cryptographic verification errors.   

Pods fail to roll out, it can break the cluster, if the OCP nodes does not have images in their local cache and need to pull from source.

      Expected results:

          OpenShift should not automatically enforce image signing policies on OpenShift release images if it results in cluster failure.


Images under quay.io/openshift-release-dev/ocp-release should either pass verification or allow fallback mechanisms to prevent disruption.

      Additional info:

      Potential Impact:


- Clusters enabling TechPreviewNoUpgrade may become non-functional if OpenShift pods fail to pull images.


- Users might have no workaround other than disabling TechPreviewNoUpgrade, which defeats the purpose of testing preview features.


Suggested Fix:

- Review the public key enforcement mechanism for OpenShift release images.


- Ensure that valid OpenShift release images pass verification when TechPreviewNoUpgrade is enabled.


- Allow fallback mechanisms if verification fails to prevent cluster-wide disruptions.

              qiwan233 Qi Wang
              rhn-support-dpateriy Divyam Pateriya
              None
              None
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: