-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
3
-
None
-
None
-
OCP Node Sprint 274 (green)
Environment: launch 4.20,openshift/api#2384,openshift/cluster-update-keys#74,openshift/machine-config-operator#5143,openshift/origin#29973 gcp, no-spot
FeatureGate BEFORE DevPreviewNoUpgrade
oc get featuregate cluster -o yaml
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
…
spec: {}
status:
featureGates:
- disabled:
- name: AWSClusterHostedDNS
.....
- name: SignatureStores
- name: SigstoreImageVerification
- name: SigstoreImageVerificationPKI
- name: StoragePerformantSecurityPolicy
enabled:
- name: AdditionalRoutingCapabilities
…..
FeatureGate AFTER DevPreviewNoUpgrade
oc get featuregate cluster -o yaml
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
annotations:
....
spec:
featureSet: DevPreviewNoUpgrade
status:
featureGates:
- disabled:
- name: ClusterAPIInstall
......
- name: SigstoreImageVerification
enabled:
- name: AWSClusterHostedDNS
.....
- name: SignatureStores
- name: SigstoreImageVerificationPKI
- name: StoragePerformantSecurityPolicy
- name: TranslateStreamCloseWebsocketRequests
FeatureGate SigstoreImageVerification continued disabled.
Tests and Checks:
1. Checking versions:
❯ oc get crd clusterimagepolicies.config.openshift.io -o json | jq -r '.spec.versions[].name' v1 ❯ oc get crd clusterimagepolicies.config.openshift.io -o json | jq -r '.status.storedVersions[]' v1 ❯ oc get crd imagepolicies.config.openshift.io -o json | jq -r '.spec.versions[].name' v1 ❯ oc get crd imagepolicies.config.openshift.io -o json | jq -r '.status.storedVersions[]' v1
2. ClusterImage CRD was created ("openshift" CR was not)
3. ImagePolicy CRD was created
4. Create a ClusterImagePolicy CR was possible:
oc get clusterimagepolicy myclusterpolicy -o yaml apiVersion: config.openshift.io/v1 kind: ClusterImagePolicy metadata: annotations: …. generation: 1 name: myclusterpolicy spec: policy: rootOfTrust: policyType: PublicKey publicKey: keyData: LS0tLS1CRUdJGN1L1VvT…….IEtFWS0tLS0t signedIdentity: matchPolicy: MatchRepository scopes: - quay.io/rh-ee-anahas/testsignedimage
4a. However, Policy.json was Not updated
cat policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
4b. sigstore-registries.yaml was Not created.
5. Create a new pod, to pull from the Scope repository:
oc debug node/oc apply -f - << EOF apiVersion: v1 kind: Pod metadata: name: pod-test2 labels: app: pod-test spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: hello-pod image: quay.io/rh-ee-anahas/testsignedimage:latest securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ports: - containerPort: 80 EOF
- "IsRunningImageAllowed for image docker:quay.io/rh-ee-anahas/testsignedimage:latest" file="signature/policy_eval.go:274"
- "Using default policy section" file="signature/policy_eval.go:162"
- Pulled image: quay.io/rh-ee-anahas/testsignedimage@sha256:b72960b93a140be0c394b023259124d45
6. Create a new ImagePolicy CR:
oc apply -f - << EOF apiVersion: config.openshift.io/v1 kind: ImagePolicy metadata: name: myimagepolicy1 namespace: test2 spec: scopes: - quay.io/rh-ee-anahas/imagedigest@sha256:531eaae43197a403f9ae14b900480ba8d7a4b4893153072beee79e8572fa1af0 policy: rootOfTrust: policyType: PublicKey publicKey: keyData: LS0tLS1CRUdJTiBQVUJMSUMgS0VZ...0t signedIdentity: matchPolicy: MatchRepoDigestOrExact EOFimagepolicy.config.openshift.io/myimagepolicy1 created
7. sigstore-registries.yaml and namespacePolicy.json were Not created.
sh-5.1# cd /etc/containers/registries.d/
sh-5.1# ls
default.yaml registry.access.redhat.com.yaml registry.redhat.io.yaml
sh-5.1# cd /etc/crio/policies/
sh-5.1# ls
sh-5.1#
8. Create a new pod to pull Scope image (from ImagePolicy CR created on step 6)
❯ oc project Using project "test2" on server "https://api.ci-ln-f4lhi22-72292.gcp-2.ci.openshift.org:6443". ❯ oc get imagepolicy NAME AGE myimagepolicy1 6m54s ❯ oc apply -f - << EOF apiVersion: v1 kind: Pod metadata: name: pod1 labels: app: pod-test spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: hello-pod image: quay.io/rh-ee-anahas/imagedigest@sha256:531eaae43197a403f9ae14b900480ba8d7a4b4893153072beee79e8572fa1af0 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ports: - containerPort: 80 EOF pod/pod1 created
9. Checking logs
- "IsRunningImageAllowed for image docker:quay.io/rh-ee-anahas/imagedigest@sha256:531eaae4319...f0" file="signature/policy_eval>
- " Using default policy section" file="signature/policy_eval.go:162"
- "Pulled image: quay.io/rh-ee-anahas/imagedigest@sha256:531eaae...a1af0" file="server/image_pull.go:122"
Once policy files were not created, policy was never checked so, "default policy" was the one used. Pods were created successfully.
- clones
-
-
- Closed
-
