This repository has been archived by the owner on Nov 1, 2022. It is now read-only.
Add parsing of Docker sha256 fixations #3440
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
go.mod - reset k8s machinery to 1.17.17 This is the latest release that we can update to -- see #3378 Try to remove when distribution/distribution#2905 is out docker/distribution patch still needed for now (Put it back for now.) On 2021-02-25 this has been merged, 2.7.2 of docker/distribution should include it hopefully relatively soon! Signed-off-by: Kingdon Barrett <kingdon@weave.works>
Signed-off-by: Matt Willsher <matt@monki.org.uk> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
|
Thanks for documenting so well what issues it targets! I believe I am familiar with this problem and I have read some of the reports you're referencing. I have to review your PR and do some testing. I see a change in the I am going to try to include this in my upcoming release, bearing all that in mind I hope we will be able to test it in a prerelease shortly 👍 thanks so much! |
Signed-off-by: Herman Banken <hermanbanken@gmail.com> Signed-off-by: Kingdon Barrett <kingdon@weave.works>
|
I've rebased this into the omnibus branch that I am using to stage the 1.22.0 release. |
This was referenced Mar 9, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3329,
Fixes #3189,
Fixes #3080,
Fixes #3009, see also #3009 (comment)
Fixes #929
The proposal is to largely ignore the SHA as far as flux is concerned. Workloads with fixated docker ID's to a specific sha256 should not be updated automatically anyway.
Allowing docker sha256 is extremely important security wise. If you trust a Docker registry today, that does not mean that some bad actor can’t take over and releases containers with backdoors the next day. Not having support for this is dangerous, as people might be tempted to remove the sha256, while it is there for good reasons: you can only vet the code currently in a git repository, and you can't take responsibility for the security mechanisms used by the owner of the repository.
Details
We have registry scanning disabled, but still we see warning about the cache warmer not understanding our ImageID's.
flux/pkg/registry/cache/warming.go
Line 180 in 2dc2680
outputs: