K
Q

Binary Authorization - Deployment failed - Denied by Attestor. Attestor cannot attest to an image in GKE

10/29/2019

I was trying to showcase binary authorization to my client as POC. During the deployment, it is failing with the following error message:

pods "hello-app-6589454ddd-wlkbg" is forbidden: image policy webhook backend denied one or more images: Denied by cluster admission rule for us-central1.staging-cluster. Denied by Attestor. Image gcr.io//hello-app:e1479a4 denied by projects//attestors/vulnz-attestor: Attestor cannot attest to an image deployed by tag

I have adhered all steps mentioned in the site.

I have verified the image repeatedly for few occurances, for example using below command to force fully make the attestation:

gcloud alpha container binauthz attestations sign-and-create   --project "projectxyz"  --artifact-url "gcr.io/projectxyz/hello-app@sha256:82f1887cf5e1ff80ee67f4a820703130b7d533f43fe4b7a2b6b32ec430ddd699"   --attestor "vulnz-attestor"   --attestor-project "projectxyz"   --keyversion "1"   --keyversion-key "vulnz-signer"   --keyversion-location "us-central1"   --keyversion-keyring "binauthz"   --keyversion-project "projectxyz"

It throws error as:

ERROR: (gcloud.alpha.container.binauthz.attestations.sign-and-create) Resource in project [project xyz] is the subject of a conflict: occurrence ID "c5f03cc3-3829-44cc-ae38-2b2b3967ba61" already exists in project "projectxyz"

So when I verify, I found the attestion present:

gcloud beta container binauthz attestations list       --artifact-url "gcr.io/projectxyz/hello-app@sha256:82f1887cf5e1ff80ee67f4a820703130b7d533f43fe4b7a2b6b32ec430ddd699"       --attestor "vulnz-attestor"       --attestor-project "projectxyz"       --format json  | jq '.[0].kind' \
>       | grep 'ATTESTATION'
"ATTESTATION"

Here are the screen shots:

deployment error

container

cloud build

Any feedback please?

Thanks in advance.

-- ARINDAM BANERJEE
google-cloud-kms
google-kubernetes-engine
kubernetes
security

Similar Questions

How to optionally set Winston transports when logging to Stackdriver from GKE
Trying to install cp-helm-charts: Settings are ignored
Two Flask apps on different paths with Kubernetes Ingress resource (nginx)
AdmissionController holding back a Terminated Pod from getting completely removed
How can I define an owner to an empty_dir using container_image or container_layer from bazel rules_docker?
Angular ui blue green deployment

2 Answers

10/29/2019

After pointed to another repository problem solved, but before that you were having problems and there could be many reasons. please contact support with error message if you are having the same problem.

-- Shafiq I
Source: StackOverflow
10/29/2019

Thank you for trying Binary Authorization. I just updated the Binary Authorization Solution, which you might find helpful.

A few things I noticed along the way:

... denied by projects//attestors/vulnz-attestor:

There should be a project ID in between projects and attestors, like:

projects/my-project/attestors/vulnz-attestor

Similarly, your gcr.io links should include that same project ID, for example:

gcr.io//hello-app:e1479a4

should be

gcr.io/my-project/hello-app:e1479a4

If you followed a tutorial, it likely asked you to set a variable like $PROJECT_ID, but you may have accidentally unset it or ran the command in a different terminal session.

-- sethvargo
Source: StackOverflow