You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Inside a VPC Service Perimeter that routes traffic through a PSC, docker.io pulls fail with an x509 error:
Failed to pull image "ubuntu": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/ubuntu/latest": failed to resolve reference "docker.io/library/ubuntu:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": x509: certificate signed by unknown authority
Additionally, I believe if the cluster could successfully reach docker.io, that the pull would still fail to due binary authorization attestation policies.
If possible, can the init container's image be hosted on a repository that is included in GCP's default binary authorization whitelist (preferably gke.gcr.io)? This would resolve both issues.
The cos-auditd daemonset deploys 2 images.
The cos-auditd-fluent-bit image comes from
gke.gcr.io
, which is internal to GCP.However, the cos-auditd-setup init container pulls its ubuntu image from
docker.io
Inside a VPC Service Perimeter that routes traffic through a PSC,
docker.io
pulls fail with an x509 error:Additionally, I believe if the cluster could successfully reach
docker.io
, that the pull would still fail to due binary authorization attestation policies.If possible, can the init container's image be hosted on a repository that is included in GCP's default binary authorization whitelist (preferably
gke.gcr.io
)? This would resolve both issues.The text was updated successfully, but these errors were encountered: