Add signature verification for image volumes #9060
Conversation
|
@xw19: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9060 +/- ##
=======================================
Coverage 47.30% 47.30%
=======================================
Files 162 162
Lines 23956 23962 +6
=======================================
+ Hits 11332 11335 +3
- Misses 11513 11515 +2
- Partials 1111 1112 +1 🚀 New features to boost your workflow:
|
|
@saschagrunert can you provide some feedback? |
b58f930 to
7d05281
Compare
|
/kind feature |
|
@cri-o/cri-o-maintainers In the implementation we need to have userSpecifiedImage mandatorily for the image to be verified else it will cause an error will this be an issue? Another optimization we could do maybe keep a list of verified images so that we don't need to check every time. This implementation only is for linux do we also need to do for BSD? |
|
/retest |
|
@xw19 please rebase again. |
|
Hi @xw19 ! Do you want to continue to work on this? Or do you want us to continue instead? |
|
I will do this by next week |
e9d39a4 to
c36b7f5
Compare
23baab3 to
4ab6d55
Compare
|
/retest |
|
@saschagrunert Please take a look |
test/policy.bats
Outdated
| POD_ID=$(crictl runp "$TESTDATA/sandbox_config.json") | ||
| CTR_CONFIG="$TESTDIR/config.json" | ||
| jq --arg CONTAINER_PATH "$CONTAINER_PATH" \ | ||
| '.image.image = "'"$SIGNED_IMAGE"'" | .image.user_specified_image = "'"$SIGNED_IMAGE"'" | .mounts = [{ |
There was a problem hiding this comment.
Let's do not mix test cases here. Can we use a standard image which will not be verified against any signature and focus on the mount part?
There was a problem hiding this comment.
I am not sure how to handle this scenario.
test/policy.bats
Outdated
| POD_ID=$(crictl runp "$TESTDATA/sandbox_config.json") | ||
| CTR_CONFIG="$TESTDIR/config.json" | ||
| jq --arg CONTAINER_PATH "$CONTAINER_PATH" \ | ||
| '.image.image = "'"$SIGNED_IMAGE"'" | .image.user_specified_image = "'"$SIGNED_IMAGE"'" | .mounts = [{ |
There was a problem hiding this comment.
Same here, let's ensure that the signature verification of the mount part fails.
6f29daa to
cba41a6
Compare
a5657c4 to
b2510be
Compare
b2510be to
e94ecb8
Compare
|
/retest |
|
/test ci-crun-e2e |
Signed-off-by: Sourav Moitra <sourav.moitr@gmail.com> Signed-off-by: Ayato Tokubi <atokubi@redhat.com>
e94ecb8 to
d94a8f3
Compare
|
@cri-o/cri-o-maintainers Can you PTAL? |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-e2e-evented-pleg In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, saschagrunert, xw19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
1 similar comment
|
/retest |
|
@cri-o/cri-o-maintainers The test failures seem like an infra issue, which happened a few days ago. Does anyone know how we fixed the issue? |
|
/retest done, the images we're building in gcloud for some reason don't have any packages installing, maybe having to do with the lifecycle of rhel 9.4. we may need to switch to 9.6. I deleted the offending image but a new one will currently be created every week until we fix |
|
/retest |
|
/override ci/prow/ci-e2e |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/prow/ci-cgroupv2-e2e-features, ci/prow/ci-e2e In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds image volume verification just before mounting
Which issue(s) this PR fixes:
Fixes #9001
Special notes for your reviewer:
Does this PR introduce a user-facing change?
None