Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4847

CSO doesn't parse pull secrets correctly

XMLWordPrintable

    • False
    • None
    • False
    • Quay Enterprise

      When a pull secret contains a port number, CSO doesn't create vulnerability objects for created pods.

      I used the following deployment config in my tests:

      apiVersion: apps.openshift.io/v1
      kind: DeploymentConfig
      metadata: 
        name: test-cso-issue
      spec: 
        replicas: 5
        selector: 
          app: test-cso-issue
        template: 
          metadata: 
            labels: 
              app: test-cso-issue
          spec: 
            containers: 
            - name: test-container
              image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
              command: ["/bin/bash", "-c", "sleep 86400"]
            imagePullSecrets: 
            - name: test-pull-secret
        strategy: 
          type: Rolling
      

      The secret was created with the following command:

      # oc create secret docker-registry test-pull-secret --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me --docker-username=ibazulic --docker-password=PASSWORD
      

      The result was expected, I was able to see the vulnerabilities object being created:

      # oc get vuln
      NAME                                                                      AGE
      sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449   6s      # this is the deployment container
      sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504   3s      # actual image container
      
      # oc get vuln sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504 -o yaml
      apiVersion: secscan.quay.redhat.com/v1alpha1
      kind: ImageManifestVuln
      metadata:
        creationTimestamp: "2022-12-21T18:05:23Z"
        generation: 1
        labels:
          test-project/test-cso-issue-1-9n26c: "true"
          test-project/test-cso-issue-1-f8hdj: "true"
          test-project/test-cso-issue-1-kw2nl: "true"
          test-project/test-cso-issue-1-mb7bx: "true"
          test-project/test-cso-issue-1-zbvfj: "true"
        name: sha256.ce04b8984f6d6764342fa0183c9bc66d77433257496f6335b589650a36b4c504
        namespace: test-project
        resourceVersion: "222240"
        uid: a6a9ee5b-b047-40ad-8bab-edba3f585dd9
      spec:
        features:
        - name: urllib3
          version: 1.24.2
          vulnerabilities:
      ...
      

      I then created a new pull secret:

      # oc create secret docker-registry test-pull-secret-2 --docker-server=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443 --docker-username=ibazulic --docker-password=PASSWORD
      secret/test-pull-secret-2 created
      

      and referenced the new pull secret in the new deployment config:

      apiVersion: apps.openshift.io/v1
      kind: DeploymentConfig
      metadata: 
        name: test-cso-issue
      spec: 
        replicas: 5
        selector: 
          app: test-cso-issue
        template: 
          metadata: 
            labels: 
              app: test-cso-issue
          spec: 
            containers: 
            - name: test-container
              image: quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me:443/ibazulic/test-image:latest
              command: ["/bin/bash", "-c", "sleep 86400"]
            imagePullSecrets: 
            - name: test-pull-secret-2
        strategy: 
          type: Rolling
      

      Pods were successfully deployed but now I don't have vulnerability objects created:

      # oc get pods
      NAME                      READY   STATUS      RESTARTS   AGE
      test-cso-issue-1-d5fmk    1/1     Running     0          2m29s
      test-cso-issue-1-deploy   0/1     Completed   0          2m32s
      test-cso-issue-1-lcq5l    1/1     Running     0          2m29s
      test-cso-issue-1-lzggj    1/1     Running     0          2m29s
      test-cso-issue-1-tb54x    1/1     Running     0          2m29s
      test-cso-issue-1-xhg6h    1/1     Running     0          2m29s
      
      # oc get vuln
      NAME                                                                      AGE
      sha256.8e961ab8bfeb056bda3504eb1c57e100ddc1e4b21f5e59899966af187a066449   2m32s
      

      I also see failures in the CSO pod as well:

      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lcq5l
      level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
      level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-d5fmk
      level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
      level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-lzggj
      level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
      level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-tb54x
      level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
      level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
      level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test-project/test-cso-issue-1-xhg6h
      level=info msg=scanning image=quay-quay-quay-enterprise.apps.quay-cso.ibazulic.me/ibazulic/test-image:latest
      level=error msg="error scanning" err="failed to sync layer data: Request returned non-200 response: 401 Unauthorized"
      

      I'm not sure why CSO is not interpreting the pull secret correctly, the port number should not influence how CSO behaves. Full CSO log is attached to the case.

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: