You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to use Connaisseur to validate images in my AKS cluster.
The way I have set it up is by using the helm chart. As a validator, I have chosen cosign and have configured it with an appropriate public key. When I apply a pod manifest, this is the error I get :
[2022-08-26 07:26:51,442] ERROR: {'message': 'Unexpected Cosign exception for image "xxx.azurecr.io/alpine:latest": Error: GET https://xxx.azurecr.io/oauth2/token?scope=repository%3Aalpine%3Apull&service=xxx.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.\nmain.go:62: error during command execution: GET https://xxx.azurecr.io/oauth2/token?scope=repository%3Aalpine%3Apull&service=xxx.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.\n.', 'context': {'trust_data_type': 'dev.cosignproject.cosign/signature', 'stderr': 'Error: GET https://xxx.azurecr.io/oauth2/token?scope=repository%3Aalpine%3Apull&service=xxx.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.\nmain.go:62: error during command execution: GET https://xxx.azurecr.io/oauth2/token?scope=repository%3Aalpine%3Apull&service=xxx.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.\n', 'image': 'xxx.azurecr.io/alpine:latest', 'trust_root': 'test', 'detection_mode': True, 'user': 'masterclient', 'operation': 'CREATE', 'kind': 'Pod', 'name': 'test', 'namespace': 'default'}}
What I have done:
Using ManagedIdentity
I set the auth.k8s_keychain: true. Applied the aadpodidbinding label with the appropriate managed identity to the deployment. The managed identity has the roles AcrPull and AcrImageSigner assigned to it. I have verified that the pod indeed does inherit this label.
Using ClientCredentials
Based on the documentation and the example for AWS, in the connaisseur-env-secrets I have added (based on docker-credential-acr-env)
AZURE_CLIENT_ID: "",
AZURE_TENANT_ID: ""
and that did not work too, I got the same error.
I added AZURE_CLIENT_SECRET to the above mentioned configuration, and I still did not get any results.
Additionally I disabled all network policies on my cluster which prevent cross namespace traffic.
The nmi pods in Azure do not show any calls being made to them, which means there has been no request for authentication to the container registry (for the ManagedIdentity approach)
After some time of research I have hit a wall. Any help would be appreciated. Thanks!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi everybody,
I am trying to use Connaisseur to validate images in my AKS cluster.
The way I have set it up is by using the helm chart. As a validator, I have chosen
cosignand have configured it with an appropriate public key. When I apply a pod manifest, this is the error I get :What I have done:
Using ManagedIdentity
I set the
auth.k8s_keychain: true. Applied theaadpodidbindinglabel with the appropriate managed identity to the deployment. The managed identity has the rolesAcrPullandAcrImageSignerassigned to it. I have verified that the pod indeed does inherit this label.Using ClientCredentials
Based on the documentation and the example for AWS, in the
connaisseur-env-secretsI have added (based on docker-credential-acr-env)and that did not work too, I got the same error.
I added
AZURE_CLIENT_SECRETto the above mentioned configuration, and I still did not get any results.Additionally I disabled all network policies on my cluster which prevent cross namespace traffic.
The nmi pods in Azure do not show any calls being made to them, which means there has been no request for authentication to the container registry (for the ManagedIdentity approach)
After some time of research I have hit a wall. Any help would be appreciated. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions