Bug 1890671

Summary: [SA] verify-image-signature using service account does not work
Product: OpenShift Container Platform Reporter: Fatima <fshaikh>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: aos-bugs, jokerman, maszulik, mfojtik, slaznick
Target Milestone: ---Keywords: Reopened
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Wrong user name used when verifying image signatures. Consequence: Image signature verification is not possible. Fix: User proper user name when verifying image signatures. Result: Image signature verification is working as expected.
 Story Points: ---
Clone Of:
: 1906796 (view as bug list) Environment:
Last Closed: 2021-02-24 15:27:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1906796    

Description Fatima 2020-10-22 17:01:02 UTC 
Description of problem:

verify-image-signature using service account does not work. The SA is given cluster admin permissions  same as a normal user, but the user is able to verify the signed image but with the SA it shows authentication required.


Version-Release number of selected component (if applicable):

OCP v3.11.286 


How reproducible:

100%


Steps to Reproduce:

Will add as a private comment as it contains sensitive data.

Actual results:
SA fails to verify the image with auth required error.


Expected results:
images should be verified by the SA.
Comment 2 Standa Laznicka 2020-10-23 07:43:31 UTC 
You're not logged into the registry.
Comment 4 Standa Laznicka 2020-10-27 09:06:28 UTC 
I did not notice the case. Moving to `oc`, not sure if `image registry` might be a better component.
Comment 5 Maciej Szulik 2020-10-27 09:30:03 UTC 
Has the customer tried invoking oc registry login before verifying signature. This command ensures that the user is logging in into the registry and should be invoked before other registry related operations.
Comment 14 Maciej Szulik 2020-12-04 16:26:46 UTC 
PR in the queue.
Comment 19 Wenjing Zheng 2020-12-29 09:17:22 UTC 
Cannot reproduce the unauthorized error with below version:
$ oc version
Client Version: 4.7.0-0.nightly-2020-12-21-131655
Server Version: 4.7.0-0.nightly-2020-12-21-131655
Kubernetes Version: v1.20.0+87544c5
Comment 20 Fatima 2021-02-15 13:22:32 UTC 
Dear team, 

Any updates on the bug?

Thanks.
Comment 21 Maciej Szulik 2021-02-15 13:38:33 UTC 
(In reply to Fatima from comment #20)
> Dear team, 
> 
> Any updates on the bug?
> 
> Thanks.

This particular fix will be part of 4.7 release. For backports I'd suggest looking at 
dependent bugzillas:
4.6 - https://bugzilla.redhat.com/show_bug.cgi?id=1906796
Comment 23 errata-xmlrpc 2021-02-24 15:27:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633