Warn about insecure images #226
Conversation
…ages that they are deploying
| if image_tag['severity_fix_available'] not in ['NOT_PROCESSED_YET', | ||
| 'COULDNT_FIGURE_OUT', | ||
| 'NO_CVES_FOUND', | ||
| 'TOO_OLD']: |
There was a problem hiding this comment.
@sarnowski Could you review that those stuatuses are the ones we do not want to show the warning? I am not sure about the TOO_OLD and NOT_PROCESSED_YET maybe we want to show the warning for those statuses too.
There was a problem hiding this comment.
Yes both should warn the user as well. It doesn't prevent the user from doing it anyway.
|
@rafaelcaricio please update zalando-stups/pierone-cli#38 |
|
|
||
|
|
||
| def check_docker_image_exists(docker_image: pierone.api.DockerImage): | ||
| if 'pierone' in docker_image.registry: |
There was a problem hiding this comment.
this actually will not trigger for OS registry (registry.opensource.zalan.do) --- this check is meant to check whether we need authentication
There was a problem hiding this comment.
Hm... right. I will try another approach then.
There was a problem hiding this comment.
Updated the approach! Maybe now is even better because we will show a warning when user is trying to deploy an image that is not from Pierone.
|
@hjacobs done. |
|
@hjacobs @sarnowski please review. |
|
@rafaelcaricio can we have a test please? |
|
|
||
| if not exists: | ||
| raise click.UsageError('Docker image "{}" does not exist'.format(docker_image)) | ||
| elif 'severity_fix_available' in image_tag: |
There was a problem hiding this comment.
image_tag might not be defined?
There was a problem hiding this comment.
😱 You're right! I am changing 4 projects at same time... I need to focus better.
|
And what about OS registry now? |
…det of having pierone in the url
|
@hjacobs Now it handles any docker image registry, if it does not find the pierone endpoints it will just assume it is not pierone. 😷 |
| try: | ||
| exists = pierone.api.image_exists('pierone', docker_image) | ||
| except pierone.api.Unauthorized: | ||
| token = get_existing_token('pierone') |
There was a problem hiding this comment.
this will not work for service tokens
There was a problem hiding this comment.
Why? That is the exact code that pierone-cli was calling inside image_exists.
There was a problem hiding this comment.
How can I make it work?
There was a problem hiding this comment.
OK, might be, so it would just work for human users --- you can use zign.api.get_token(...) which tries best effort and also works with service tokens
|
👍 |
6 participants
Fixes #223
Depends on zalando-stups/pierone-cli#38