Description of problem: verify-image-signature using service account does not work. The SA is given cluster admin permissions same as a normal user, but the user is able to verify the signed image but with the SA it shows authentication required. Version-Release number of selected component (if applicable): OCP v3.11.286 How reproducible: 100% Steps to Reproduce: Will add as a private comment as it contains sensitive data. Actual results: SA fails to verify the image with auth required error. Expected results: images should be verified by the SA.
You're not logged into the registry.
I did not notice the case. Moving to `oc`, not sure if `image registry` might be a better component.
Has the customer tried invoking oc registry login before verifying signature. This command ensures that the user is logging in into the registry and should be invoked before other registry related operations.
PR in the queue.
Cannot reproduce the unauthorized error with below version: $ oc version Client Version: 4.7.0-0.nightly-2020-12-21-131655 Server Version: 4.7.0-0.nightly-2020-12-21-131655 Kubernetes Version: v1.20.0+87544c5
Dear team, Any updates on the bug? Thanks.
(In reply to Fatima from comment #20) > Dear team, > > Any updates on the bug? > > Thanks. This particular fix will be part of 4.7 release. For backports I'd suggest looking at dependent bugzillas: 4.6 - https://bugzilla.redhat.com/show_bug.cgi?id=1906796
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633