kubernetes-monitor
kubernetes-monitor copied to clipboard
Published
20 hours ago •
snyk
snyk
[🐛] snyk/kubernetes-monitor GCP Container Registry
-
kubernetes-monitor version [e.g. v2.4.13] -
Cloud runtime [GKE]
Expected behaviour
Authenticate to private container registries should works.
Actual behaviour
kubernetes-monitor Pod cannot pull image for scan and has errors
{"name":"kubernetes-monitor","hostname":"snyk-kubernetes-monitor-8fdcf4ccc-mh4ls","pid":7,"level":40,"message":"WARNING: Could not setup log file in /srv/app/.config/gcloud/logs, (OSError: [Errno 30] Read-only file system: '/srv/app/.config/gcloud'.\nThe configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration\nERROR: gcloud crashed (OSError): [Errno 30] Read-only file system: '/srv/app/.config/gcloud'\n\nIf you would like to report this issue, please run the following command:\n gcloud feedback\n\nTo check gcloud for common problems, please run the following command:\n gcloud info --run-diagnostics\ntime=\"2023-10-06T09:37:10Z\" level=fatal msg=\"initializing source docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2: getting username and password: 1 error occurred:\\n\\t* error getting credentials - err: exit status 1, out: ``\\n\\n\"\n","bin":"skopeo","loggableArguments":["copy","--dest-compress-level","6","docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2","docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar"],"msg":"child process failure","time":"2023-10-06T09:37:10.828Z","v":0}
{"name":"kubernetes-monitor","hostname":"snyk-kubernetes-monitor-8fdcf4ccc-mh4ls","pid":7,"level":50,"error":{"message":"`skopeo copy --dest-compress-level 6 --src-cert-dir /srv/app/certs docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2 docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar` failed with code 1","name":"ChildProcessError","stack":"ChildProcessError: `skopeo copy --dest-compress-level 6 --src-cert-dir /srv/app/certs docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2 docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar` failed with code 1\n at ChildProcess.<anonymous> (/srv/app/node_modules/child-process-promise/lib/index.js:132:23)\n at ChildProcess.emit (node:events:513:28)\n at ChildProcess.emit (node:domain:489:12)\n at maybeClose (node:internal/child_process:1100:16)\n at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)","code":1},"image":"gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2","msg":"failed to pull image docker/oci archive image","time":"2023-10-06T09:37:10.829Z","v":0}
Steps to reproduce
I have private GCP container registries, i created dockercfg.json which includes
"credHelpers": {
"us.gcr.io": "gcloud",
"asia.gcr.io": "gcloud",
"marketplace.gcr.io": "gcloud",
"gcr.io": "gcloud",
"eu.gcr.io": "gcloud",
"staging-k8s.gcr.io": "gcloud"
}
How a was able to fix this issue
Added to Deployment
extraVolumes:
- name: config-gcloud
emptyDir:
sizeLimit: 500Mi
extraVolumeMounts:
- name: config-gcloud
mountPath: /srv/app/.config/gcloud
I see from the deployment that this env var is set:
CLOUDSDK_CONFIG: /var/tmp/gcloud
And I even see logs in /var/tmp/gcloud/logs/. So, I wonder why node isn't putting logs in there. I bet CLOUDSDK_CONFIG needs to be passed here: https://github.com/snyk/kubernetes-monitor/blob/8e6f96cc22b5fd9784c967418bafee1cbee55b1b/src/scanner/images/skopeo.ts#L73-L81
