Error creating signature: one or more errors adding attestations

[jseris]

Hi,

We deployed Kritis-Signer, but for some reason we are getting the following error:

I1025 21:55:27.822638       1 gcb_event_parser.go:45] complete build "55845a8a-a7e0-44a1-94b1-548e935d1806"

I1025 21:55:27.822658       1 gcb_event_parser.go:52] process image gcr.io/company-net/hello-gcp@sha256:233db15d114ee7dbd45ad6bd476fb2199eef1e4228be9029462333f87f283308
I1025 21:55:27.828194       1 signer.go:64] Validating "gcr.io/company-net/hello-gcp@sha256:233db15d114ee7dbd45ad6bd476fb2199eef1e4228be9029462333f87f283308" against BuildPolicy "kritis-bp"
I1025 21:55:27.828274       1 signer.go:69] Image "gcr.io/company-net/hello-gcp@sha256:233db15d114ee7dbd45ad6bd476fb2199eef1e4228be9029462333f87f283308" matches BuildPolicy kritis-bp, creating attestations
I1025 21:55:27.833736       1 signer.go:92] Ceate attestation by "gcr.io/company-net/hello-gcp@sha256:233db15d114ee7dbd45ad6bd476fb2199eef1e4228be9029462333f87f283308" for "kritis-container-analysis"

E1025 21:55:28.323954       1 main.go:57] Error signing: Error creating signature: one or more errors adding attestations: [rpc error: code = PermissionDenied desc = permission "containeranalysis.occurrences.create" denied for project "company-net", entity ID ""]

We have granted the concerning service-account all possible container-analysis roles:

In the container-analysis API metrics we see the following:

Any idea how we can resolve this? There is no specific 'containeranalysis.occurrences.create' role to select.

--

Jseris

[Aysylu Greenberg]

Hi Jordi,

Happy to help look into this. Please answer a few questions below, so we can figure out exactly what might be the problem.

1) What command(s) did you execute to get this error message? Were they from the tutorial?

2) Were the requests authenticated as the kritis-signer service account?

3) Is the occurrence created in the same project?

Cheers,

Aysylu

[Jordi T]

Hi Aysylu,

So actually we got that part working now - we're not getting that error anymore. We wiped the project and started over. Unfortunately not sure what was going wrong in the first place, but there was a lot of messing around in this project. We now also did some extra 'setIamPolicy' calls, but these were not mentioned in this tutorial which we followed.

We recapped the commands in a script. We'll do some more testing to see if it is repeatable and perhaps create a pull request for this script.

FYI:

1) We only want to install kritis-signer, so we followed this tutorial. As a prerequisite, we followed steps 1 - 5 in this tutorial.

2) Yes, we started the GKE cluster on which kritis-signer runs with the --service-account parameter, so that it uses the kritis-signer SA we created.

3) As of this moment we are primarily just testing Kritis-Signer, so currently we are running everything in one and the same project.

We are using the latest available image of kritis-gcb-signer, but it now looks like we are running into this issue. We'll build the master branch ourselves and check if we then also solve this issue :-)

Cheers

Jordi

[Tejal Desai]

Thanks Jordi, 

The Tutorial we have is only for Kritis Admission controller flow and not the Signer flow. 

I will add the tutorial and auth set up for Signer Service soon.

It is very much possible, we have not released the kritis-signer image after this bug fix. 

Let me know, if building an image from master does solve your problem. 

I can do a release now. 

Sorry about that!

Thanks

Tejal

--
You received this message because you are subscribed to the Google Groups "Kritis users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kritis-users...@googlegroups.com.
To post to this group, send email to kritis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kritis-users/0177590e-b0a2-434b-ad15-3129076cc435%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jordi T]

Hi Guys,

So we are some steps further now, after building a new image from the kritis master branch :-) Images built from a trusted build source (builtFrom) are now succesfully signed and can be deployed on a GKE cluster with bin-authz enabled.

However, kritis-signer shows the following error for images with vulnerabilities:

I1030 16:50:48.579575       1 gcb_event_parser.go:42] build "742f6f92-eec3-4264-9d2c-49abdd0f3514", status: "SUCCESS"
I1030 16:50:48.579912       1 gcb_event_parser.go:43] messages: "{\"id\":\"742f6f92-eec3-4264-9d2c-49abdd0f3514\",\"projectId\":\"my-org\",\"status\":\"SUCCESS\",\"source\":{\"storageSource\":{\"b
ucket\":\"my-org_cloudbuild\",\"object\":\"source/1540916357.97-a28ba31c8dcf4b6f81625885c8d1f64f.tgz\",\"generation\":\"1540916359578406\"}},\"steps\":[{\"name\":\"gcr.io/cloud-builders/docker\",\
"args\":[\"build\",\"-t\",\"gcr.io/my-org/java-with-vulnz-jordi:v1\",\".\"],\"timing\":{\"startTime\":\"2018-10-30T16:19:30.543923171Z\",\"endTime\":\"2018-10-30T16:20:06.220084422Z\"},\"pullTimin
g\":{\"startTime\":\"2018-10-30T16:19:30.543923171Z\",\"endTime\":\"2018-10-30T16:19:30.626985899Z\"},\"status\":\"SUCCESS\"}],\"results\":{\"images\":[{\"name\":\"gcr.io/my-org/java-with-vulnz-jo
rdi:v1\",\"digest\":\"sha256:6fba8a5fcb6e358a64a78d1d3cf7c2e25457a0430e21b1955750fd8129177a8d\",\"pushTiming\":{\"startTime\":\"2018-10-30T16:20:06.652322245Z\",\"endTime\":\"2018-10-30T16:20:10.9504
40596Z\"}}],\"buildStepImages\":[\"sha256:d55872f046cb58ec8d363f0c750c8c7a6ecfe99b16f155d0da9906a09382ef99\"],\"buildStepOutputs\":[]},\"createTime\":\"2018-10-30T16:19:19.898015880Z\",\"startTime\":
\"2018-10-30T16:19:25.624557521Z\",\"finishTime\":\"2018-10-30T16:20:11.579977Z\",\"timeout\":\"600s\",\"images\":[\"gcr.io/my-org/java-with-vulnz-jordi:v1\"],\"artifacts\":{\"images\":[\"gcr.io/t
will-net/java-with-vulnz-jordi:v1\"]},\"logsBucket\":\"gs://463541125983.cloudbuild-logs.googleusercontent.com\",\"sourceProvenance\":{\"resolvedStorageSource\":{\"bucket\":\"my-org_cloudbuild\",\
"object\":\"source/1540916357.97-a28ba31c8dcf4b6f81625885c8d1f64f.tgz\",\"generation\":\"1540916359578406\"},\"fileHashes\":{\"gs://my-org_cloudbuild/source/1540916357.97-a28ba31c8dcf4b6f81625885c
8d1f64f.tgz#1540916359578406\":{\"fileHash\":[{\"type\":\"MD5\",\"value\":\"yVBrx4ddoFPkgijxNbfTtw==\"}]}}},\"options\":{\"logging\":\"LEGACY\"},\"logUrl\":\"https://console.cloud.google.com/gcr/buil
ds/742f6f92-eec3-4264-9d2c-49abdd0f3514?project=463541125983\",\"timing\":{\"BUILD\":{\"startTime\":\"2018-10-30T16:19:30.543906614Z\",\"endTime\":\"2018-10-30T16:20:06.652305161Z\"},\"FETCHSOURCE\":
{\"startTime\":\"2018-10-30T16:19:27.456608172Z\",\"endTime\":\"2018-10-30T16:19:30.454543076Z\"},\"PUSH\":{\"startTime\":\"2018-10-30T16:20:06.652320772Z\",\"endTime\":\"2018-10-30T16:20:10.95047266
2Z\"}}}"
I1030 16:50:48.580380       1 gcb_event_parser.go:47] complete build "742f6f92-eec3-4264-9d2c-49abdd0f3514"
I1030 16:50:48.580651       1 gcb_event_parser.go:57] process image gcr.io/my-org/java-with-vulnz-jordi:v1@sha256:6fba8a5fcb6e358a64a78d1d3cf7c2e25457a0430e21b1955750fd8129177a8d
I1030 16:50:48.588242       1 signer.go:62] Validating "gcr.io/my-org/java-with-vulnz-jordi:v1@sha256:6fba8a5fcb6e358a64a78d1d3cf7c2e25457a0430e21b1955750fd8129177a8d" against BuildPolicy "kritis-
bp"
I1030 16:50:48.588634       1 signer.go:67] Image "gcr.io/my-org/java-with-vulnz-jordi:v1@sha256:6fba8a5fcb6e358a64a78d1d3cf7c2e25457a0430e21b1955750fd8129177a8d" matches BuildPolicy kritis-bp, cr
eating attestations
W1030 16:50:48.898935       1 containeranalysis.go:117] could not parse reference
E1030 16:50:48.899344       1 main.go:57] Error signing: Error creating signature: gcr.io/my-org/java-with-vulnz-jordi:v1@sha256:6fba8a5fcb6e358a64a78d1d3cf7c2e25457a0430e21b1955750fd8129177a8d is
 not a valid image hosted in GCR

So it is good that no attestations are created ;-) but I don't think it should happen because of this error ;-)  Looking at the kritis-signer logs, it is constantly trying to parse the pubsub message.

Btw, I deployed the following ImageSecurityPolicy in the cluster in which Kritis-Signer is deployed:

apiVersion: kritis.grafeas.io/v1beta1
kind: ImageSecurityPolicy
metadata:
  name: kritis-signer-isp
  namespace: default
spec:
  imageWhitelist:
  - gcr.io/my/image
  packageVulnerabilityRequirements:
    maximumSeverity: BLOCK_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL
    maximumFixUnavailableSeverity: BLOCK_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL
    whitelistCVEs:
      - providers/goog-vulnz/notes/CVE-2017-1000082
      - providers/goog-vulnz/notes/CVE-2017-1000081

Any idea what's happening here?

Cheers

Jordi

[Tejal Desai]

Jordi, 

We recently found that error too while demoing kritis. I will look into it and get back to you soon!

Thanks

Tejal

To view this discussion on the web visit https://groups.google.com/d/msgid/kritis-users/c89c4f0d-758d-4f21-8311-722e6f8be614%40googlegroups.com.

[Jordi Teterissa]

Hi Tejal,

Cool, looking forward to your findings! If you need any more info from my side, please let me know.

Thanks!

Jordi

[Jordi Teterissa]

Hi Tejal,

We found out that the issue occurs when we explicitly push the docker image with a tag (e.g. gcr.io/my-company/hello-gcp:v1)

The actual image digest would then become for example: gcr.io/my-company/hello-gcp@sha256:c3807fb9d9332da0ec3c5b6e5909dd5b6e3f612337f5fbf94ae3dd7484067ffc

But if you look what kritis-signer tries to sign:

E1031 12:11:04.565998       1 main.go:57] Error signing: Error creating signature: gcr.io/my-company/hello-gcp:v1@sha256:c3807fb9d9332da0ec3c5b6e5909dd5b6e3f612337f5fbf94ae3dd7484067ffc is not a valid image hosted in GCR

If we do not explicitly add a tag, then it works.

Hope this info helps you :-)

Also one other question: looking at the source code, Kritis-Signer is not capable of creating attestions based on vulnerability scanning results right? There currently only is integration with CloudBuilder?

Thanks!

Jordi

[Tejal Desai]

That is correct. Kritis signer can’t add attestations for vulnerability scanning. But Kritis can.

We will be merging these together soon so kritis will do both. 

Thanks

Tejal

To view this discussion on the web visit https://groups.google.com/d/msgid/kritis-users/CALCuM6_uFcreM%2B9OLNz9UothA4BBdma2_V6OriYgXssgUJO0Uw%40mail.gmail.com.