# Issues for Ratify v1.1.0 ## Gen-1: Registy support for OCI image spec v1.1.0 rc.4 This is a question: We use oras to attach vuln report, however, the version of oras was not mentioned in the document. With oras 1.0.0 by default it is the manifest OCI image spec v1.1.0 rc.2 pushed. With oras v1.1.0, by default it is the manifest of OCI image spec v1.1.0 rc.4 pushed. My understanding is that a few registries supports OCI image spec v1.1.0 rc.4, so maybe we should recommend using oras v1.0.0 for broad complaince? ## Vuln-1: Verify an image with no vuln repots **Result**: Passed but logs can be improved ``` $ ./oras discover $image2 -o tree wabbitregistry.azurecr.io/nginx@sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1 $ kubectl run image-no-report -n default --image=$image2 Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [vulnerability-report-validation-constraint] Subject failed verification: wabbitregistry.azurecr.io/nginx@sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1 ``` The logs could be more intutive for users that the failure is due to no vuln report was found, however there are policies to verify it. ``` time=2023-12-12T08:01:10.27046058Z level=info msg=verify result for subject wabbitregistry.azurecr.io/nginx@sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/nginx@sha256:ac9a82772d377190ec9d7c895cf4feac5e776922af965c313af39879e2c437a1", "isSuccess": false, "message": "verification failed: Error: referrers not found, Code: REFERRERS_NOT_FOUND, Component Type: executor" } ] } component-type=server go.version=go1.20.12 trace-id=085167f4-0054-4468-99fe-0aea51ab15a8 ``` ## Vuln-2: Verify an image with old vuln reports **Result**: Passed ``` time=2023-12-12T07:09:20.415015925Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": false, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation failed: report is older than maximum age:[1h]", "extensions": { "createdAt": "2023-12-12T05:22:08Z" }, "artifactType": "application/sarif+json" } ] } component-type=server go.version=go1.20.12 trace-id=897c7516-339d-4973-bf90-ba10ac9cd6af ``` ## Vuln-3: Verify an image with vulnerabilities of disallowed severities **Result**: Passed but logs can be improved If the validation failed due to severity, the message is `vulnerability report validation failed`, which does not help on what happened. And the extensions contained a list of vulnerabilities with not allowed severities, which are too long. See an example ``` d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": false, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation failed", "extensions": { "createdAt": "2023-12-12T05:22:08Z", "scanner": "trivy", "severityViolations": [ { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems." }, "help": { "markdown": "**Vulnerability CVE-2022-3715**\n| Severity | Package | Fixed Version | Link |\n| --- | --- |@@@ ``` ## Vuln-4: Verify an image with vulnerabilities in the denylist **Result**: Passed but logs can be improved The message is `vulnerability report validation failed`, which does not help on what happened. See an example: ``` time=2023-12-12T07:01:10.198197089Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": false, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation failed", "extensions": { "createdAt": "2023-12-12T05:22:08Z", "denylistCVEs": [ "cve-2023-45853" ], "scanner": "trivy" }, "artifactType": "application/sarif+json" } ] } component-type=server go.version=go1.20.12 trace-id=b47a0b68-c78d-405b-84e5-25d07f219c6b ``` ## Vuln-5: Verify an image with vuln report that is compliant **Result**: Failed The following deployment was denied. ``` kubectl run vuln-alpine-image -n default --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [vulnerability-report-validation-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e ``` However, it was successful in the log ``` time=2023-12-12T07:04:20.758925208Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e: { "isSuccess": true, "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": true, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation succeeded", "extensions": { "createdAt": "2023-12-12T05:22:08Z", "scanner": "trivy" }, "artifactType": "application/sarif+json" } ] } component-type=server go.version=go1.20.12 trace-id=1bb3e7a4-e7aa-4622-9811-bd435b88184e ``` ## Gen-2: Sometimes I could not see any error messages Fixed. The reason is missing parameter `--set externaldataProviderResponseCacheTTL=10s` for Gatekeeper installation. Refer to Akash's comment on why we need this parameter. The error indicated that the deployment is denied. ``` $ kubectl run vuln-alpine-image -n default --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [vulnerability-report-validation-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e $ kubectl run vuln-alpine-image -n default --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [vulnerability-report-validation-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e $ kubectl run vuln-alpine-image -n default --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [vulnerability-report-validation-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e ``` However, there were no errors in the logs ``` $ kubectl logs … time=2023-12-12T07:03:01.22821723Z level=info msg=mutating image wabbitregistry.azurecr.io/net-monitor:v1 component-type=server go.version=go1.20.12 trace-id=9622f54c-4f84-4757-b65b-60a1ff6c882b time=2023-12-12T07:03:08.696747134Z level=info msg=mutating image wabbitregistry.azurecr.io/net-monitor:v1 component-type=server go.version=go1.20.12 trace-id=fe9059dd-fddd-41ff-b735-935b5034bbc2 time=2023-12-12T07:03:12.368139144Z level=info msg=mutating image wabbitregistry.azurecr.io/net-monitor:v1 component-type=server go.version=go1.20.12 trace-id=0f017a3b-7662-4266-811b-b8930c8943e7 time=2023-12-12T07:03:19.48572053Z level=info msg=mutating image wabbitregistry.azurecr.io/net-monitor:v1 component-type=server go.version=go1.20.12 trace-id=6fa865ce-d764-44d2-9fa0-c78e7ae4a3ed ``` ## Vuln-6: Verify images with two vuln reports, one is older, another is fresh TODO ## Vuln-7: Verify signed vuln report TODO ## SBOM-1: Wrong constraint and template used in document The following constraint and template are used ``` kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml ``` Which are not for SBOM verfication. By checking the code repository, the template should be `https://github.com/deislabs/ratify/blob/v1.1.0/library/sbom-validation/template.yaml`, however missing constraint file for SBOM verfication ## SBOM-2: Verify images with compliant SBOM Result: passed Config: ``` parameters: disallowedPackages: disallowedLicenses: ``` QQ: What is the meaning of ` "licenseListVersion": "3.20"` in `extensions` field? An example of successful log: ``` time=2023-12-14T06:15:24.120832566Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "isSuccess": true, "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": true, "name": "verifier-sbom", "type": "sbom", "message": "SBOM verification success. No license or package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" } }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=641993ca-d121-4730-8a39-0a9a0c6f24c8 ``` ## SBOM-3：Verify images with a disallowed software license. Result: Passed Config: ``` parameters: disallowedPackages: disallowedLicenses: - GPL-2.0-only ``` Command: ``` $ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor:v1 ``` logs: ``` time=2023-12-14T06:21:34.214096241Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "licenseViolations": [ { "License": "GPL-2.0-only", "Name": "alpine-baselayout", "Version": "3.2.0-r23" }, { "License": "GPL-2.0-only", "Name": "alpine-baselayout-data", "Version": "3.2.0-r23" }, { "License": "GPL-2.0-only", "Name": "apk-tools", "Version": "2.12.9-r3" }, { "License": "GPL-2.0-only", "Name": "busybox", "Version": "1.35.0-r17" }, { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" }, { "License": "GPL-2.0-only", "Name": "ssl_client", "Version": "1.35.0-r17" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=5f23421d-d2fe-456b-89c7-f41641f310bd ``` ## SBOM-4：Verify images with a disallowed software license (not exact match). Result: Failed Reason: the configured disallowed license is `GPL-2.0`. The logs in extension field missed license with `GPA-2.0-only` Config: ``` parameters: disallowedPackages: disallowedLicenses: - GPL-2.0 ``` logs: ``` time=2023-12-14T06:54:16.171411841Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "licenseViolations": [ { "License": "MIT AND LicenseRef-BSD AND GPL-2.0-or-later", "Name": "musl-utils", "Version": "1.2.3-r1" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=633bee31-7874-4f6b-a66c-6bb2038cdd20 ``` ## SBOM-5：Verify images with disallowed software package by providing the name only Result: passed Image: wabbitregistry.azurecr.io/net-monitor:v1 Config: ``` parameters: disallowedPackages: - name: scanelf ``` Commands: ``` $ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor:v1 ``` logs: ``` time=2023-12-14T06:51:19.519598982Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "packageViolations": [ { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=25edfee1-ab8e-4e2c-815a-8da3708a043d ``` ## SBOM-6：Verify images with disallowed software package by providing both the name and version Result: passed Image: wabbitregistry.azurecr.io/net-monitor:v1 Config: ``` parameters: disallowedPackages: - name: scanelf version: 1.3.4-r0 disallowedLicenses: ``` Logs: ``` time=2023-12-14T06:48:57.560421924Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "packageViolations": [ { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=e9c394f3-5931-4c09-a027-3e222aa00cc3 ``` ## SBOM-7：Verify images with disallowed software package by providing both the name and non-existing version Result: Passed Image: wabbitregistry.azurecr.io/net-monitor:v1 Config: ``` disallowedPackages: - name: scanelf version: 2.3.4-r1 ``` 2.3.4-r1 does not exist in the sbom logs: ``` time=2023-12-15T02:37:41.467866915Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "isSuccess": true, "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": true, "name": "verifier-sbom", "type": "sbom", "message": "SBOM verification success. No license or package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" } }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=e06eee67-4945-4de7-ab5f-2a031df50d24 ``` ## SBOM-8：Verify images with bot disallowed software package and disallowed licenses Result: Passed Image: wabbitregistry.azurecr.io/net-monitor:v1 Config: ``` parameters: disallowedPackages: - name: scanelf disallowedLicenses: - GPL-2.0 ``` Logs: ``` time=2023-12-14T06:45:24.428744817Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "licenseViolations": [ { "License": "MIT AND LicenseRef-BSD AND GPL-2.0-or-later", "Name": "musl-utils", "Version": "1.2.3-r1" } ], "packageViolations": [ { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=22466992-11eb-4eef-bdc5-d9f15737c14e ``` ## SBOM-9: Verify images with multiple disallowed licenses Result: Passed Config: ``` parameters: disallowedPackages: - name: scanelf disallowedLicenses: - GPL-2.0-only - LicenseRef-AND ``` Logs: ``` time=2023-12-15T03:00:19.563804089Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "licenseViolations": [ { "License": "GPL-2.0-only", "Name": "alpine-baselayout", "Version": "3.2.0-r23" }, { "License": "GPL-2.0-only", "Name": "alpine-baselayout-data", "Version": "3.2.0-r23" }, { "License": "GPL-2.0-only", "Name": "apk-tools", "Version": "2.12.9-r3" }, { "License": "GPL-2.0-only", "Name": "busybox", "Version": "1.35.0-r17" }, { "License": "MPL-2.0 AND LicenseRef-AND AND MIT", "Name": "ca-certificates", "Version": "20220614-r0" }, { "License": "MPL-2.0 AND LicenseRef-AND AND MIT", "Name": "ca-certificates-bundle", "Version": "20220614-r0" }, { "License": "BSD-2-Clause AND LicenseRef-AND AND BSD-3-Clause", "Name": "libc-utils", "Version": "0.7.2-r3" }, { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" }, { "License": "GPL-2.0-only", "Name": "ssl_client", "Version": "1.35.0-r17" } ], "packageViolations": [ { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=00b3a25b-c121-4ca0-aa32-1ae061e5d979 ``` ## SBOM-10: Verify images with multiple disallowed packages Result: Passed config: ``` parameters: disallowedPackages: - name: scanelf - name: ssl_client - name: yispackage disallowedLicenses: ``` logs: ``` time=2023-12-15T02:54:52.120485621Z level=info msg=verify result for subject wabbitregistry.azurecr.io/net-monitor:v1: { "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor:v1", "isSuccess": false, "name": "verifier-sbom", "message": "SBOM validation failed. Please review extensions data for license and package violation found.", "extensions": { "creationInfo": { "created": "2023-12-13T05:35:31Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-0.79.0" ], "licenseListVersion": "3.20" }, "packageViolations": [ { "License": "GPL-2.0-only", "Name": "scanelf", "Version": "1.3.4-r0" }, { "License": "GPL-2.0-only", "Name": "ssl_client", "Version": "1.35.0-r17" } ] }, "artifactType": "application/spdx+json" } ] } component-type=server go.version=go1.20.12 trace-id=39ff48a0-adf0-4caa-8f29-74d30d941b13 ``` ## Gen-3: Plugin error See vuln verifications are good, however for SBOM verfication, it seems there are plugin errors, but the error message did not help on understand the reasons. ``` "verifierReports": [ { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": false, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation failed: report is older than maximum age:[24h]", "extensions": { "createdAt": "2023-12-12T05:22:08Z" }, "artifactType": "application/sarif+json" }, { "subject": "wabbitregistry.azurecr.io/net-monitor@sha256:d9e3524286eb0f273023e62c4fe5d9434d9d8353fdb627745752a36defec1b1e", "isSuccess": true, "name": "verifier-vulnerabilityreport", "type": "vulnerabilityreport", "message": "vulnerability report validation succeeded", "extensions": { "createdAt": "2023-12-13T06:09:31Z", "scanner": "trivy" }, "artifactType": "application/sarif+json" }, { "isSuccess": false, "name": "verifier-sbom", "type": "sbom", "message": "Original Error: (Original Error: (plugin failed with error: \"time=\\\"2023-12-13T06:10:03Z\\\" level=info msg=\\\"selected default auth provider: dockerConfig\\\"\\n\"), Error: verify plugin failure, Code: VERIFY_PLUGIN_FAILURE, Plugin Name: verifier-sbom, Component Type: verifier), Error: verify reference failure, Code: VERIFY_REFERENCE_FAILURE, Plugin Name: verifier-sbom, Component Type: verifier", "artifactType": "application/spdx+json" } ] } ``` ## Gen-4: bad certificate Env: AKS cluster with policy disabled NOTE: - This is not related to certificate that is used for veriying signatures. - I met this error several times but not always. Command: ``` $ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] System error calling external data provider: failed to send external data request: Post "https://ratify.gatekeeper-system:6001/ratify/gatekeeper/v1/verify": remote error: tls: bad certificate ``` Logs ``` 2023/12/14 06:48:26 http: TLS handshake error from 10.224.0.12:34400: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "gatekeeper-ca") ``` ## Gen-5: Sometimes the image was not blocked See the following commands in order, the sbom-config was kept unchanged. You will see `kubectl run` worked at the 2nd execution. Commands ``` kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] System error calling external data provider: failed to send external data request: Post "https://ratify.gatekeeper-system:6001/ratify/gatekeeper/v1/verify": remote error: tls: bad certificate yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ kubectl run vuln-sbom-testing --image=$image pod/vuln-sbom-testing created yizha@yizha1:~/playground/ratify/1.1.0$ kubectl delete po vuln-sbom-testing pod "vuln-sbom-testing" deleted yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] System error calling external data provider: failed to send external data request: Post "https://ratify.gatekeeper-system:6001/ratify/gatekeeper/v1/verify": remote error: tls: bad certificate yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ yizha@yizha1:~/playground/ratify/1.1.0$ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] System error calling external data provider: failed to send external data request: Post "https://ratify.gatekeeper-system:6001/ratify/gatekeeper/v1/verify": remote error: tls: bad certificate yizha@yizha1:~/playground/ratify/1.1.0$ kubectl run vuln-sbom-testing --image=$image Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: wabbitregistry.azurecr.io/net-monitor:v1 ``` No Ratify logs produced for the 2nd successful exection, the following log was produced after the first failure execution ``` 2023/12/15 02:59:25 http: TLS handshake error from 10.224.0.169:40138: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "gatekeeper-ca") ``` ## Open question ### How can I disable a policy?