policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Validation bypass was performed for all patterns, but validation failed occurred.

Open derekcha opened this issue 2 years ago • 1 comments

Hello.

Description I set it to pass without validation check for all image patterns, but it was not distributed due to validation failed.

This is the ClusterImagePolicy I used. apiVersion: policy.sigstore.dev/v1beta1

kind: ClusterImagePolicy metadata: name: image-policy-default spec: images: - glob: "**" authorities: - static: action: pass

The image I want to deploy.

spec:
  - name: mysql
    image: mysql:latest
    imagePullPolicy: Always

Error message. Error from server (BadRequest): error when creating "test.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: mysql:latest must be an image digest: spec.template.spec.containers[0].image Can you tell me why this error occurs?

Version policy-controller version: 0.2.1

derekcha avatar Aug 25 '22 01:08 derekcha

According to the Kubernetes documentation, Admission Controller goes through MutatingWebhook and ValidationWebhook in sequence.

Before verify image in policy-controller, controller will resolve image digest on MutatingWebhook phase. However, your image was mysql:latest that was dockerhub public image.

You know, dockerhub has rate limit policy.

This can cause validation failure message: must be an image digest. you can see in here

Increasing log level for policy-controller-webhook and check the log for ratelimit.

DingGGu avatar Aug 25 '22 05:08 DingGGu