Description:
ApprovedImage resources with invalid images are accepted at admission time but fail silently.
Reproduce:
$ cat approvedimage_invalid.yaml
apiVersion: trusted-execution-clusters.io/v1alpha1
kind: ApprovedImage
metadata:
name: invalid-digest
namespace: confidential-clusters
spec:
image: quay.io/trusted-execution-clusters/fedora-coreos@sha256:invalid
$ oc apply -f approvedimage_invalid.yaml
approvedimage.trusted-execution-clusters.io/invalid-digest created
$ oc get approvedimage invalid-digest
NAME AGE
invalid-digest 46s
$ oc logs deployment.apps/confidential-cluster-operator | grep -i fail
[WARN operator::reference_values] PCR computation for invalid-digest failed: invalid reference format
[WARN operator::reference_values] PCR computation for invalid-digest failed: invalid reference format
[WARN operator::reference_values] PCR computation for invalid-digest failed: invalid reference format
[WARN operator::reference_values] PCR computation for invalid-digest failed: invalid reference format
Expected:
Reject at addmission time, report error like:
Error from server (BadRequest): spec.image: Invalid value: "sha256:invalid": digest must be 64 hex characters
Description:
ApprovedImage resources with invalid images are accepted at admission time but fail silently.
Reproduce:
Expected:
Reject at addmission time, report error like:
Error from server (BadRequest): spec.image: Invalid value: "sha256:invalid": digest must be 64 hex characters