Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
False
-
None
-
False
-
Quay Enterprise
-
0
Description
When a pull secret contains a port number, CSO doesn't create vulnerability objects for created pods.
I used the following deployment config in my tests:
apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: name: test-cso-issue spec: replicas: 5 selector: app: test-cso-issue template: metadata: labels: app: test-cso-issue spec: containers: - name: test-container image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest command: ["/bin/bash", "-c", "sleep 86400"] imagePullSecrets: - name: test-pull-secret strategy: type: Rolling
The secret was created with the following command:
# oc create secret docker-registry test-pull-secret --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me --docker-username=ibazulic --docker-password=PASSWORD
The result was expected, I was able to see the vulnerabilities object being created:
# oc get vuln NAME AGE sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449 6s # this is the deployment container sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504 3s # actual image container # oc get vuln sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504 -o yaml apiVersion: secscan.quay.redhat.com/v1alpha1 kind: ImageManifestVuln metadata: creationTimestamp: "2022-12-21T18:05:23Z" generation: 1 labels: test-project/test-cso-issue-1-9n26c: "true" test-project/test-cso-issue-1-f8hdj: "true" test-project/test-cso-issue-1-kw2nl: "true" test-project/test-cso-issue-1-mb7bx: "true" test-project/test-cso-issue-1-zbvfj: "true" name: sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504 namespace: test-project resourceVersion: "222240" uid: a6a9ee5b-b047-40ad-8bab-edba3f585dd9 spec: features: - name: urllib3 version: 1.24.2 vulnerabilities: ...
I then created a new pull secret:
# oc create secret docker-registry test-pull-secret-2 --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443 --docker-username=ibazulic --docker-password=PASSWORD secret/test-pull-secret-2 created
and referenced the new pull secret in the new deployment config:
apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: name: test-cso-issue spec: replicas: 5 selector: app: test-cso-issue template: metadata: labels: app: test-cso-issue spec: containers: - name: test-container image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443/ibazulic/test-image:latest command: ["/bin/bash", "-c", "sleep 86400"] imagePullSecrets: - name: test-pull-secret-2 strategy: type: Rolling
Pods were successfully deployed but now I don't have vulnerability objects created:
# oc get pods NAME READY STATUS RESTARTS AGE test-cso-issue-1-d5fmk 1/1 Running 0 2m29s test-cso-issue-1-deploy 0/1 Completed 0 2m32s test-cso-issue-1-lcq5l 1/1 Running 0 2m29s test-cso-issue-1-lzggj 1/1 Running 0 2m29s test-cso-issue-1-tb54x 1/1 Running 0 2m29s test-cso-issue-1-xhg6h 1/1 Running 0 2m29s # oc get vuln NAME AGE sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449 2m32s
I also see failures in the CSO pod as well:
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lcq5l level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized" level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-d5fmk level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized" level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lzggj level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized" level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-tb54x level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized" level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-xhg6h level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
I'm not sure why CSO is not interpreting the pull secret correctly, the port number should not influence how CSO behaves. Full CSO log is attached to the case.
Attachments
Issue Links
- is related to
-
-
- Closed
-
