Details
-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
quay-v3.11.0, quay-v3.9.6, quay-v3.8.15, quay-v3.10.4
-
False
-
None
-
False
-
Quay Enterprise
-
0
Description
Description of problem:
CSO failed to create imagemanifestvulns when pod deployed from image tag
Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.16.0-0.nightly-2024-03-06-073110
How reproducible:
Always
Steps to Reproduce:
- Install CSO on openshift 4.16
- Create a pod using image from quay.io
apiVersion: v1 kind: Pod metadata: name: high labels: cso-example: 'true' spec: containers: - name: httpd image: quay.io/operator-framework/httpd:latest
- Check imagemanifestvulns
Actual Results:
There is not imagemanifestvulns existing.
Expected Results:
imagemanifestvulns should be created
Additional Info
CSO pod logs:
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=test/high level=error msg="Error parsing imageID" err="both image fields in container and containerStatus do not contain digest: quay.io/operator-framework/httpd"
Test pod info:
$ oc describe pod high
Name: high
Namespace: test
Containers:
httpd:
Container ID: cri-o://88aaa13bcad0f31314521dc0870eddb97c3c46c8cb674e7f8bb19cf268ca7e42
Image: quay.io/operator-framework/httpd
Image ID: d3017f59d5e25daba517ac35eaf4b862dce70d2af5f27bf40bef5f936c8b2e1f
Port: <none>
Host Port: <none>
State: Running
Started: Thu, 07 Mar 2024 09:40:47 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9t9pz (ro)
When pod deployed from image digest, CSO can create IMV successfully
$ oc get imagemanifestvulns.secscan.quay.redhat.com NAME AGE sha256.ca908f415a15fdba408f82537d295350772afa985112ee62db6709fea994a682 99s
pod.yaml:
spec: containers: - name: httpd image: quay.io/operator-framework/httpd@sha256:ca908f415a15fdba408f82537d295350772afa985112ee62db6709fea994a682
