Uploaded image for project: 'OpenShift Node'
  1. OpenShift Node
  2. OCPNODE-2242

Ensure image validation in runtimeService

    XMLWordPrintable

Details

    • Story
    • Resolution: Unresolved
    • Undefined
    • None
    • None
    • None

    Description

      Container images need to be validated before starting a container. 

       

      • Add signature verification to runtimeService.CreatePodSandbox on the code path where the image already exists locally (to deal with a malicious user causing that image to be pulled under an unexpected policy).
      • Hook up that same new method to verify a signature into the container create path. One attractive option is to do that immediately after HeuristicallyTryResolvingStringAsIDPrefix/CandidatesForPotentiallyShortImageName obtain a StorageImageID in Server.createSandboxContainer , but Server.CreateContainer has a separate code path for “checkpoint images” first — quite possibly we should check the signature before. That is the only known part which requires research and/or restructuring.

       

      xref : https://issues.redhat.com/browse/RUN-1811?focusedId=23391305&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-23391305

       

      discussion around this topic - https://redhat-internal.slack.com/archives/CK1AE4ZCK/p1712763142542329 

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            harpatil@redhat.com Harshal Patil
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: