Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Blocker
Fix Version/s: quay-v3.10.4
Affects Version/s: quay-v3.9.5, quay-v3.8.14, quay-v3.10.1
Component/s: container-security-operator
Labels:
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Product:
Quay Enterprise

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

CSO failed to create imagemanifestvulns on Openshift 4.15

Version-Release number of selected component (if applicable):

quay-container-security-operator-container-v3.10.1-1

How reproducible:

Always

Steps to Reproduce:

Install CSO on openshift 4.15
Create a pod using image from quay.io
Check imagemanifestvulns

Actual Results:

There is not imagemanifestvulns existing.

Expected Results:

imagemanifestvulns should be created

Additional Info

CSO pod logs:

level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=openshift-apiserver-operator/openshift-apiserver-operator-6f8649d894-jkwkv
level=error msg="Error parsing imageID" imageID=89e93c3e7aadd4b9c87515685803757fc6fbf4e6ce6b15c430c29188a3bd0381
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=openshift-apiserver/apiserver-7c867b9488-dtzsb
level=error msg="Error parsing imageID" imageID=984d984ec2ff9f9b2d0c2b168969b423e402ae0ba1176bfa9deec82ae4d5194f
level=error msg="Error parsing imageID" imageID=f0021366e6df7f86fcea927aabad93730a0b9828e98c5bcb573f2a4f6e3becec

Test pod info:

$ oc describe pod
Name:             nodejs-sample-5567c5674-lgdvw
Namespace:        test-cso
...
Status:           Running
IP:               10.131.0.28
IPs:
  IP:           10.131.0.28
Controlled By:  ReplicaSet/nodejs-sample-5567c5674
Containers:
  nodejs-sample:
    Container ID:   cri-o://9976548cfc30ffbcc4a365491a9c2ca926ced6a3a035a47de36d7983a0bc8f9e
    Image:          quay.io/quay-qetest/nodejs-sample@sha256:14237f12c482dcca294e766fc57163d0c0adac43ae690d1328fdc578f4792b95
    Image ID:       5f9f56fc8d9e7e297bbc5191b47530afd2fdfc00666f2c3be97e5bd0652df4f5
    Port:           8080/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Tue, 12 Dec 2023 11:58:10 +0800
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-r2k7m (ro)

The root cause is "Image ID" field of pod on openshift 4.15 is changed. CSO cannot parse this format.

The "Image ID" of a pod on openshift 4.14 is:

Image ID:       quay.io/quay-qetest/nodejs-sample@sha256:14237f12c482dcca294e766fc57163d0c0adac43ae690d1328fdc578f4792b95

Attachments

Issue Links

blocks

OCPBUGS-27455 Count mismatch in Image vunerabilities reported in the Openshift Console

Verified

links to

openshift/cucushift#9709: fix OCP-26029

quay/container-security-operator#122: fetching digest from image field when using cri-o (PROJQUAY-6512)

quay/container-security-operator#123: [redhat-3.10] fetching digest from image field when using cri-o (PROJQUAY-6512)

RHBA-2024:127302 Red Hat Quay v3.10.4 minor release

mentioned on

Merge request - Updated US source to: ea48b1f [redhat-3.10] fetching digest from image field when using cri-o (PROJQUAY-6512) (#123)

(1 mentioned on)

Activity

People

Assignee:: Brandon Caton

Reporter:: Dongbo Yan

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023/12/12 6:41 AM

Updated:: 2024/03/07 2:48 AM

Resolved:: 2024/02/27 9:11 PM