proxy: Policy verification of OCI Image before pulling #2029
Conversation
|
The above change causes the following output if a container image signed by sigstore is given the wrong key: |
RishabhSaini
force-pushed
the
sig
branch
2 times, most recently
from
92beea2
to
1cf4feb
Compare
cgwalters
added
the
experimental-image-proxy
|
As a procedural note I've created experimental-image-proxy label to track PRs to this subsystem. |
|
Rebasing to sync the branch |
|
Unsure why the CI is failing "timed out". The tests for ostree-rs-ext passed on the previous run and work locally on my end. Would the owners kindly re-rerun the ostree-rs-ext test as I suspect it was a flake |
|
There's a "Re-run" button next to the check...I clicked it, but so far not seeing a change? |
|
FWIW we do see the |
Ah, dang. OK, I'm reopening ostreedev/ostree-rs-ext#322 (comment) |
Signed-off-by: RishabhSaini <[email protected]>
|
Updated |
| @@ -266,6 +268,23 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (replyBuf, | |||
| return ret, err | |||
| } | |||
|
|
|||
| unparsedTopLevel := image.UnparsedInstance(imgsrc, nil) | |||
| policy, err := signature.DefaultPolicy(h.sysctx) | |||
There was a problem hiding this comment.
While I think this is OK for now, maybe it makes sense to cache this in the future?
There was a problem hiding this comment.
Ideally, cache the PolicyContext (as long as it is used from a single thread).
(Right now that does not make a difference, but a branch caching the imported keys in a native format inside a PolicyContext is floating around.)
|
I was thinking more about this and one problem, and this is basically what motivated #1829 is that basically well I kind of originally painted us into a corner in having e.g. But then...in practice the policy does default to being unset except for a few special base images in e.g. RHEL. So...we may mostly be OK here. I also think issue 1829 is still highly relevant in that we do want to drop the ultra-hacky code in https://github.com/ostreedev/ostree-rs-ext/blob/main/lib/src/container/skopeo.rs#L10 Anyways...I think we're probably OK. I want to do some more testing of this PR myself. To be clear did you do the whole thing with setting up e.g. cosign and requiring it in the container policy? |
Yes, I have tested this system by singing and uploading a signed container image to my registry using cosign and skopeo. Then rebasing from the remote registry behaves appropriately. |
| if err != nil { | ||
| return ret, err | ||
| } | ||
| allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel) |
There was a problem hiding this comment.
Here'd what we want is a new API like IsRunningImageSigned and it would fail if the signature policy is insecureAcceptAnything for ostreedev/ostree-rs-ext#79
| @@ -266,6 +268,23 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (replyBuf, | |||
| return ret, err | |||
| } | |||
|
|
|||
| unparsedTopLevel := image.UnparsedInstance(imgsrc, nil) | |||
| policy, err := signature.DefaultPolicy(h.sysctx) | |||
There was a problem hiding this comment.
Was there a specific reason not to use opts.global.getPolicyContext here?
That would also immediately handle --insecure-policy per #2029 (review) .
| policyContext, err := signature.NewPolicyContext(policy) | ||
| if err != nil { | ||
| return ret, err | ||
| } |
There was a problem hiding this comment.
policyContext.Destroy is required by the API when done.
| if !allowed || err != nil { | ||
| return ret, err | ||
| } | ||
| if !allowed && err == nil { |
There was a problem hiding this comment.
This is dead code AFAICS. The code has already returned ret, nil above.
Should be resolved by #2048. |
Helps address the lack of policy verification in rpm-ostree:
coreos/rpm-ostree#4272
An Image pull triggered by
rpm-ostree rebasewill look to verify the policy by default as a part ofOpenImageThe other route taken here adds a new API call
#1829