kyverno: [Bug] UNAUTHORIZED: unauthorized to access repository error in verify image policy

Kyverno Version

1.9.1

Kubernetes Version

1.23.x

Kubernetes Platform

EKS

Kyverno Rule Type

verifyImages

Description

verify images is failing after upgrading kyverno to 1.9.1. kyverno args to --imagePullSecrets={} with --imagePullSecrets={} in the kyverno args, but I’m getting an UNAUTHORIZED: unauthorized to access repository error. For reference, I was using kyverno version 1.8.x before the upgrade without any problems.

Steps to reproduce

This is the clusterpolicy I used.

# Source: cluster-policy/templates/verify-image.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image
spec:
  validationFailureAction: enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: verify-image
      match:
        any:
        - resources:
            kinds:
              - Pod
            namespaces:
              - kyverno-test
      exclude:
        any:
        - resources:
      verifyImages:
      - imageReferences:
        - {MY REPO}
        mutateDigest: false
        verifyDigest: false
        attestors:
        - count: 1
          entries:
          - keys:
              publicKeys: |-
                {MY KEY}

Expected behavior

verify image success

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 26 (12 by maintainers)

Most upvoted comments

I had the same issue in 2.7.2 helm charts. I added verb “get” for resource “secrets” in kyverno/templates/clusterrole.yaml in ClusterRole kyverno:generate

That solved the problem for me.

+2
ikatolkar on Apr 12, 2023

Closing as resolved in 1.10.2. Patch should be available in the next couple of weeks.

+1
chipzoller on Jul 24, 2023

@chipzoller Hi, sorry for the late reply, I was not using image verify policy for the above issue. I installed the latest kyverno and am testing to enable image verify again, but I found some interesting results related to the above issue. I’m getting the UNAUTHORIZED error the first time I run kyverno and no errors after that, so I’m wondering if there’s something to this issue?

I’m using the following environment kyverno : chart version 3.0.2 / app version v1.10.1 kubernetes : 1.24 and I use harbor for the repository.

Error log

verify-image-test:
  autogen-verify-image: 'failed to verify image harbor.com/test/test:1.0.3:
    .attestors[0].entries[0].keys: GET https://harbor.com/v2/test/test/manifests/1.0.3:
    UNAUTHORIZED: unauthorized to access repository: test/test,
    action: pull: unauthorized to access repository: test/test,
    action: pull; .attestors[0].entries[1].keys: GET https://harbor.com/v2/test/test/manifests/1.0.3:
    UNAUTHORIZED: unauthorized to access repository: test/test,
    action: pull: unauthorized to access repository: test/test,
    action: pull'
+1
derekcha on Jul 17, 2023
Read more comments on GitHub
← kyverno: [Bug] The `config/release` dir is gone
kyverno: [Bug] Update Requests stuck in pending/fail infinite loop when deleting k8s resources too quickly →