Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recognize Child Images Defined In Promotion Manifests #402

Open
tylerferrara opened this issue Aug 12, 2021 · 13 comments
Open

Recognize Child Images Defined In Promotion Manifests #402

tylerferrara opened this issue Aug 12, 2021 · 13 comments
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@tylerferrara
Copy link
Contributor

tylerferrara commented Aug 12, 2021

What would you like to be added:

If a child image is defined within a sub-project's promotion manifest, it will not be seen by the Auditor since the parent image (manifest list) is under a different name. Our incoming child image will never match an existing child definition, because it's under a different name.

Example

Most manifest lists look something like this:

# k8s.io/k8s.gcr.io/images/k8s-staging-sub-project/images.yaml
- name: logger
  dmap:
    "sha256:c4151a15c8439265d98f66d25ef17964e9e975d894822a54ed7e72db78dba6c6": ["parent"]
- name: logger-amd
  dmap:
    "sha256:2c9c8df42ac7525e556bbff81aa9a62960888c69d5faad4aad408893bc95cbc9": ["child_amd"]
- name: logger-arm
  dmap:
    "sha256:a41a91e366e973da0bfd6fce44ba131d561ab435119ff7e1050d1e226a06dbda": ["child_arm"]

If the logger image is of mediaType: manifest.list (a parent image) which contains both logger-amd and logger-arm images, our Auditor does not recognize these children are actually defined within the promotion manifest. The incoming Pub/Sub message for a child image of logger looks like this:

gcr.io/k8s-sub-project/logger@sha256:2c9c8df42ac7525e556bbff81aa9a62960888c69d5faad4aad408893bc95cbc9

If you look carefully, this image does not exist! But in actuality, this is the child image logger-amd we defined within the promotion manifest. Since this is how an incoming Pub/Sub child image looks like, we must widen our criteria for linking images with a promotion manifest. ​

Why is this needed:

Looking at the sha256 digest, instead of the fully qualified image name (FQIN), the Auditor will be able to recognize incoming child images if they are define in a promotion manifest. Not all sub-projects explicitly define child images, however for the ones that do follow this convention the verification will not require a full read of the source registry. This change has the potential to dramatically decrease the number of HTTP request send to GCR if all child images can be found in the kubernetes/k8s.io repository. The result of this feature would reduce the number of instances the Auditor exceeds GCR Quotas and causes false alarms (Issue: Noisy Auditor)

cc: @listx @amwat @justaugustus @kubernetes-sigs/release-engineering

@tylerferrara tylerferrara added area/release-eng Issues or PRs related to the Release Engineering subproject kind/feature Categorizes issue or PR as related to a new feature. sig/release Categorizes an issue or PR as relevant to SIG Release. wg/k8s-infra labels Aug 12, 2021
@tylerferrara tylerferrara changed the title Audit Defined Child Images Recognize Child Images Defined In Promotion Manifests Aug 12, 2021
@justaugustus
Copy link
Contributor

@tylerferrara -- in "What would you like to be added", would you mind adding a few lines about the requested feature?

You jump into a problem statement, but this should also include a crisp statement about the feature you're interested in seeing implemented.

@justaugustus justaugustus added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Sep 14, 2021
@k8s-ci-robot k8s-ci-robot added sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. and removed wg/k8s-infra labels Sep 30, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 29, 2021
@cpanato
Copy link
Member

cpanato commented Dec 29, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 29, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 29, 2022
@justaugustus justaugustus removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 6, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 5, 2022
@xmudrii
Copy link
Member

xmudrii commented Jul 6, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 6, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 4, 2022
@xmudrii
Copy link
Member

xmudrii commented Oct 4, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 4, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2023
@varshith257
Copy link

After going through the context of this issue, I have an approach in mind:

To address the issue of recognizing child images defined in promotion manifests, we need to update the auditor logic to match incoming child images based on their SHA256 digest rather than the fully qualified image name (FQIN). We also need to ensure the auditor parses the promotion manifests to extract all child images along with their associated SHA256 digests and store these mappings in a data structure for quick lookup.

When a Pub/Sub message for an incoming image is received, extract the SHA256 digest from the image URL and compare this digest against the stored digests from the promotion manifests. If a match is found, recognize the image as a valid child image defined in the promotion manifest and proceed with the usual auditing process for matched images.

For this, we need to define the necessary data structures to hold the manifest information something would look like the following:

type ManifestEntry struct {
    Name string            `json:"name"`
    Dmap map[string][]string `json:"dmap"`
}

type Auditor struct {
    ManifestDigests map[string]string
}

The loading and parsing of the promotion manifest to extract and store SHA256 digests for child images logic would look like the following:

func (a *Auditor) LoadManifests(manifestFiles []string) {
    for _, file := range manifestFiles {
        data, err := ioutil.ReadFile(file)
        if err != nil {
            log.Fatalf("Failed to read manifest file: %v", err)
        }
        var manifests []ManifestEntry
        if err := json.Unmarshal(data, &manifests); err != nil {
            log.Fatalf("Failed to unmarshal manifest data: %v", err)
        }
        a.ParseManifest(manifests)
    }
}

func (a *Auditor) ParseManifest(manifests []ManifestEntry) {
    for _, entry := range manifests {
        for digest := range entry.Dmap {
            a.ManifestDigests[digest] = entry.Name
        }
    }
}

Similarly, we must implement the logic to recognize incoming child images based on these stored digests. So that the Auditor can effectively recognize child images defined in promotion manifests, improving both efficiency and accuracy

cc: @justaugustus @xmudrii @kubernetes-sigs/release-engineering WDYT? Correct me, if any wrong in my approach.

@varshith257
Copy link

/honk

@k8s-ci-robot
Copy link
Contributor

@varshith257:
goose image

In response to this:

/honk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@varshith257
Copy link

PTAL @xmudrii @cpanato for my approach

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Development

No branches or pull requests

7 participants