[v0.11 backport] Fix ResolveImageConfig to evaluate source policy#4186
Closed
cpuguy83 wants to merge 2 commits intomoby:v0.11from
Closed
[v0.11 backport] Fix ResolveImageConfig to evaluate source policy#4186cpuguy83 wants to merge 2 commits intomoby:v0.11from
cpuguy83 wants to merge 2 commits intomoby:v0.11from
Conversation
Backport 330cf7a to 0.11 branch This is not a clean cherry-pick due to lots of other interspersed changes (and this change really has to touch code all up and down the stack). Original commit message: Before this change, ResolveImageConfig was unaware of source policies. This means that: 1. Images for denied sources may be resolved 2. Image configs may get pulled for sources that are later converted to a different image The update makes it so the image resolver first runs a given ref through the source policy and uses any mutated ref for the actual resolve (instead of the original ref). It also returns the mutated ref so it can be used correctly by the frontend (e.g. don't want to do llb.Image(oldRef@resolvedDigest)). Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The older of rules in policy matters. Eg. in [DENY *, ALLOW ref] mixing the order would deny all sources so map can't be used to deduplicate the rules. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 22d8446) Signed-off-by: Brian Goff <cpuguy83@gmail.com>
thaJeztah
changed the title
thaJeztah
changed the title
Member
|
Looks like build is failing @cpuguy83 looks like some signatures changed? |
Member
Author
|
Yeah I should have opened as draft, I didn't run through tests locally. |
Member
Author
|
Going to close this for now, and opened up #4215 to just backport the rule ordering since there's a bunch more work involved in the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport of:
Backport of 330cf7a
This was not clean and so had to be manually backported.
Also brings in a clean cherry-pick of 22d8446
This backport is so we can bring this into moby v24 and have useful source policies.