Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4847

CSO doesn't parse pull secrets correctly

XMLWordPrintable

    • False
    • None
    • False
    • Quay Enterprise

      When a pull secret contains a port number, CSO doesn't create vulnerability objects for created pods.

      I used the following deployment config in my tests:

      apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata: 
  name: test-cso-issue
spec: 
  replicas: 5
  selector: 
    app: test-cso-issue
  template: 
    metadata: 
      labels: 
        app: test-cso-issue
    spec: 
      containers: 
      - name: test-container
        image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
        command: ["/bin/bash", "-c", "sleep 86400"]
      imagePullSecrets: 
      - name: test-pull-secret
  strategy: 
    type: Rolling

      The secret was created with the following command:

      # oc create secret docker-registry test-pull-secret --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me --docker-username=ibazulic --docker-password=PASSWORD

      The result was expected, I was able to see the vulnerabilities object being created:

      # oc get vuln
NAME                                                                      AGE
sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449   6s      # this is the deployment container
sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504   3s      # actual image container

# oc get vuln sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504 -o yaml
apiVersion: secscan.quay.redhat.com/v1alpha1
kind: ImageManifestVuln
metadata:
  creationTimestamp: "2022-12-21T18:05:23Z"
  generation: 1
  labels:
    test-project/test-cso-issue-1-9n26c: "true"
    test-project/test-cso-issue-1-f8hdj: "true"
    test-project/test-cso-issue-1-kw2nl: "true"
    test-project/test-cso-issue-1-mb7bx: "true"
    test-project/test-cso-issue-1-zbvfj: "true"
  name: sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504
  namespace: test-project
  resourceVersion: "222240"
  uid: a6a9ee5b-b047-40ad-8bab-edba3f585dd9
spec:
  features:
  - name: urllib3
    version: 1.24.2
    vulnerabilities:
...

      I then created a new pull secret:

      # oc create secret docker-registry test-pull-secret-2 --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443 --docker-username=ibazulic --docker-password=PASSWORD
secret/test-pull-secret-2 created

      and referenced the new pull secret in the new deployment config:

      apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata: 
  name: test-cso-issue
spec: 
  replicas: 5
  selector: 
    app: test-cso-issue
  template: 
    metadata: 
      labels: 
        app: test-cso-issue
    spec: 
      containers: 
      - name: test-container
        image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443/ibazulic/test-image:latest
        command: ["/bin/bash", "-c", "sleep 86400"]
      imagePullSecrets: 
      - name: test-pull-secret-2
  strategy: 
    type: Rolling

      Pods were successfully deployed but now I don't have vulnerability objects created:

      # oc get pods
NAME                      READY   STATUS      RESTARTS   AGE
test-cso-issue-1-d5fmk    1/1     Running     0          2m29s
test-cso-issue-1-deploy   0/1     Completed   0          2m32s
test-cso-issue-1-lcq5l    1/1     Running     0          2m29s
test-cso-issue-1-lzggj    1/1     Running     0          2m29s
test-cso-issue-1-tb54x    1/1     Running     0          2m29s
test-cso-issue-1-xhg6h    1/1     Running     0          2m29s

# oc get vuln
NAME                                                                      AGE
sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449   2m32s

      I also see failures in the CSO pod as well:

      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lcq5l
level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-d5fmk
level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lzggj
level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-tb54x
level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-xhg6h
level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"

      I'm not sure why CSO is not interpreting the pull secret correctly, the port number should not influence how CSO behaves. Full CSO log is attached to the case.

        1. container-security-operator.log
          1.67 MB

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: