[🐛] snyk/kubernetes-monitor GCP Container Registry #1376

oleksandrs-adorama · 2023-10-06T09:52:22Z

kubernetes-monitor version [e.g. v2.4.13]
Cloud runtime [GKE]

Expected behaviour

Authenticate to private container registries should works.

Actual behaviour

kubernetes-monitor Pod cannot pull image for scan and has errors

{"name":"kubernetes-monitor","hostname":"snyk-kubernetes-monitor-8fdcf4ccc-mh4ls","pid":7,"level":40,"message":"WARNING: Could not setup log file in /srv/app/.config/gcloud/logs, (OSError: [Errno 30] Read-only file system: '/srv/app/.config/gcloud'.\nThe configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration\nERROR: gcloud crashed (OSError): [Errno 30] Read-only file system: '/srv/app/.config/gcloud'\n\nIf you would like to report this issue, please run the following command:\n  gcloud feedback\n\nTo check gcloud for common problems, please run the following command:\n  gcloud info --run-diagnostics\ntime=\"2023-10-06T09:37:10Z\" level=fatal msg=\"initializing source docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2: getting username and password: 1 error occurred:\\n\\t* error getting credentials - err: exit status 1, out: ``\\n\\n\"\n","bin":"skopeo","loggableArguments":["copy","--dest-compress-level","6","docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2","docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar"],"msg":"child process failure","time":"2023-10-06T09:37:10.828Z","v":0}

{"name":"kubernetes-monitor","hostname":"snyk-kubernetes-monitor-8fdcf4ccc-mh4ls","pid":7,"level":50,"error":{"message":"`skopeo copy --dest-compress-level 6 --src-cert-dir /srv/app/certs docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2 docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar` failed with code 1","name":"ChildProcessError","stack":"ChildProcessError: `skopeo copy --dest-compress-level 6 --src-cert-dir /srv/app/certs docker://gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2 docker-archive:/var/tmp/gcr_io_****_****_0_0_90_2076038_623683417.tar` failed with code 1\n    at ChildProcess.<anonymous> (/srv/app/node_modules/child-process-promise/lib/index.js:132:23)\n    at ChildProcess.emit (node:events:513:28)\n    at ChildProcess.emit (node:domain:489:12)\n    at maybeClose (node:internal/child_process:1100:16)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)","code":1},"image":"gcr.io/****/****@sha256:62a442d3d2cf1d72758994e66767f2f6dbc8d2e4b5d9886d393509725d5222f2","msg":"failed to pull image docker/oci archive image","time":"2023-10-06T09:37:10.829Z","v":0}

Steps to reproduce

I have private GCP container registries, i created dockercfg.json which includes

  "credHelpers": {
    "us.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud"
  }

How a was able to fix this issue

Added to Deployment

  extraVolumes:
    - name: config-gcloud
      emptyDir:
         sizeLimit: 500Mi

  extraVolumeMounts:
    - name: config-gcloud
      mountPath: /srv/app/.config/gcloud

The text was updated successfully, but these errors were encountered:

johnjelinek · 2023-10-26T22:23:27Z

I see from the deployment that this env var is set:

CLOUDSDK_CONFIG: /var/tmp/gcloud

And I even see logs in /var/tmp/gcloud/logs/. So, I wonder why node isn't putting logs in there. I bet CLOUDSDK_CONFIG needs to be passed here:

kubernetes-monitor/src/scanner/images/skopeo.ts

Lines 73 to 81 in 8e6f96c

    
           const env: Record<string, string | undefined> = { 
        
             // The Azure CR credentials helper requires these env vars: 
        
             AZURE_CLIENT_ID: process.env.AZURE_CLIENT_ID, 
        
             AZURE_TENANT_ID: process.env.AZURE_TENANT_ID, 
        
             AZURE_FEDERATED_TOKEN_FILE: process.env.AZURE_FEDERATED_TOKEN_FILE, 
        
             AZURE_FEDERATED_TOKEN: process.env.AZURE_FEDERATED_TOKEN, 
        
             AZURE_AUTHORITY_HOST: process.env.AZURE_AUTHORITY_HOST, 
        
           }; 
        
           await processWrapper.exec('skopeo', env, ...args);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[🐛] snyk/kubernetes-monitor GCP Container Registry #1376

[🐛] snyk/kubernetes-monitor GCP Container Registry #1376

oleksandrs-adorama commented Oct 6, 2023 •

edited

Loading

johnjelinek commented Oct 26, 2023 •

edited

Loading

[🐛] snyk/kubernetes-monitor GCP Container Registry #1376

[🐛] snyk/kubernetes-monitor GCP Container Registry #1376

Comments

oleksandrs-adorama commented Oct 6, 2023 • edited Loading

Expected behaviour

Actual behaviour

Steps to reproduce

How a was able to fix this issue

johnjelinek commented Oct 26, 2023 • edited Loading

oleksandrs-adorama commented Oct 6, 2023 •

edited

Loading

johnjelinek commented Oct 26, 2023 •

edited

Loading