Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check image access on deis pull #88

Merged
merged 2 commits into from
Jan 16, 2019
Merged

check image access on deis pull #88

merged 2 commits into from
Jan 16, 2019

Conversation

rwos
Copy link
Contributor

@rwos rwos commented Dec 18, 2018

resolves teamhephy/workflow#78

Essentially, this just attempts a docker_client.inspect_image (which downloads just the manifest, not the whole image) on deis pull and that raises an error if it's a private registry and the user didn't add the correct credentials to the app.

I think in the default hephy install, with the on-cluster deis-registry, you can still "steal" other users' source build images by doing deis pull 127.0.0.1:5555/hephy/some-app:git-$githash. But for that to work, you'd need to somehow guess the app name and the correct git hash - I don't think that's very likely. Plus, that stops working if you use a password-protected off-cluster registry for hephy.

@rwos rwos mentioned this pull request Dec 18, 2018
Merged
2 tasks
@Cryptophobia Cryptophobia self-requested a review January 14, 2019 21:55
Cryptophobia
Cryptophobia requested changes Jan 14, 2019
View reviewed changes
Copy link
Member

@Cryptophobia Cryptophobia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one thing we should change is to make parallel into serial again for running the test because it will be more accurate.

rootfs/api/tests/test_pods.py Show resolved Hide resolved
rootfs/api/tests/test_build.py Show resolved Hide resolved
rootfs/bin/test-unit Outdated Show resolved Hide resolved
rootfs/registry/dockerclient.py Show resolved Hide resolved
rwos added 2 commits January 16, 2019 12:34
@rwos
fix(tests): extend pod name regex
26add98
@rwos
fix(controller): check image access when creating builds
1ce3bc5 
Due to the nature of k8s' docker image cache, users can acccess other
users' images in some situations (when they land on the same k8s node).

That is, once user A has deployed privateregistry.example.com/image-a
(with the help of `deis registry:set password=... username=...`), user B
can just do `deis pull privateregistry.example.com/image-a` and that
will (sometimes) work, since the image is in the k8s cache and thus not
pulled again.

This commit changes things so that on a `deis pull` (aka `deis
build:create`) the controller tries to access the image (with the
configured registry credentials, if any) - and then refuses to deploy it
to k8s if that fails.
@rwos rwos force-pushed the upstream-image-access-check branch from b0a1e56 to 1ce3bc5 Compare January 16, 2019 11:34
@rwos
Copy link
Contributor Author

rwos commented Jan 16, 2019

@Cryptophobia thanks for the review! I removed the --parallel stuff again

@Cryptophobia
Copy link
Member

Thank you for the PR and fixing this security issue in a creative way!

@Cryptophobia Cryptophobia merged commit c86f61f into teamhephy:master Jan 16, 2019
@rwos rwos deleted the upstream-image-access-check branch January 18, 2019 14:42
@Cryptophobia Cryptophobia mentioned this pull request Jun 14, 2019
Merged
duanhongyi added a commit to duanhongyi/controller that referenced this pull request Apr 24, 2023
@duanhongyi
Merge pull request teamhephy#88 from jianxiaoguo/main
9876248 
chore(controller): upgrade requirements pyOpenSSL==23.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Cryptophobia Cryptophobia Cryptophobia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hephy users can access each others private-registry images, via k8s image cache
2 participants
@rwos @Cryptophobia