Add --check-policy option to skopeo inspect #2153
Conversation
When handling images with skopeo it can be useful to be able to check that the image is valid before processing any of its metadata. With the new `--check-policy` flag `skopeo inspect` will error out if the image doesn't pass the policy check. Signed-off-by: Alban Bedel <[email protected]>
|
Ephemeral COPR build failed. @containers/packit-build please check. |
There was a problem hiding this comment.
Thanks for the PR.
Um… There are definitely some valid use cases, but frequently users ask for things like this to build incorrect verification workflows like #560 (comment) (there’s much more in there). The balance of utility vs. risk is not just in the existence of the feature, but also in the prevalence of one vs. the other user base.
I don’t really know what to here…
Maybe name this --dangerous-{check,use,enforce}-policy and strongly warn in both in the man page and --help that this command succeeding gives no guarantees at all about the inspected image being correctly signed at any other time or for any other purpose? That would be certainly not elegant, but it would be at least some way to give naive users pause.
| }() | ||
|
|
||
| // Be paranoid and fail if either return value indicates so. | ||
| if allowed, err := policyContext.IsRunningImageAllowed(ctx, unparsedImage); !allowed || err != nil { |
There was a problem hiding this comment.
This should also be inside retry.IfNecessary because it contacts remote servers to fetch the signatures.
| }() | ||
|
|
||
| // Be paranoid and fail if either return value indicates so. | ||
| if allowed, err := policyContext.IsRunningImageAllowed(ctx, unparsedImage); !allowed || err != nil { |
There was a problem hiding this comment.
Also, being security-critical, this should have at least minimal tests that the option works and policy is enforced (not that all possible kinds of policy are enforced), maybe somewhere around copySuite.TestCopySignatures which already creates correctly/incorrectly signed images.
First of all thanks for the review. Before continuing I would like to be sure that I understand correctly which risk you are talking about. In the issue you pointed the risk was about having an image referenced by tag being later replaced by another image. But with My use case is to create some k8s Jobs using some parameters derived from the image metadata, so even without verification I have to reference the images by digest to ensure that the image and metadata are matching. |
Yes. If. I’ve encountered enough users who don’t immediately, unprompted, see the need for this (and even users who are hard to convince this is necessary) to make me worried. |
When handling images with skopeo it can be useful to be able to check that the image is valid before processing any of its metadata. With the new
--check-policyflagskopeo inspectwill error out if the image doesn't pass the policy check.