-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🔊 New container images security assessments #30850
Comments
I'll take the bait and ask the obvious question; why was this a minor version release? You've probably broken thousands of dev workflows and pipelines. I understand the why and I appreciate the easy workaround, but I dont understand the version scheme here. |
Bitnami: introduces breaking changes |
I must be stupid, but eventhough this post is long, I don't understand what I'm supposed to do. So I just ignored the error and set |
They basically just don't want you to use non-bitnami images in their helm charts because its too annoying to support. This is totally fine and reasonable, but they're masquerading it as both a security issue (very questionable) and a minor version (absolutely not), which is disappointing. That said, the vast majority of us are probably just using all this for free so... 🤷🏻♂️ |
Bitnami team, are you aware that pulling through a mirror or remote cache is a standard practice in enterprise environments? Could you clarify what the security mechanism is actually verifying? The repository and image name? |
Yeah, we're overriding the images (which |
Can confirm that we pull our images through a proxy and our Continuous Deilvery fails now. |
✋ using a pull-through cache. Even for those genuinely using different images, that doesn't mean those images are 'insecure'!
What sort of review process did this go through? |
Should this not work with public ECR bitnami images too? EDIT: I see the commercial intent behind this to encourage uptake in Bitnami commercial subscriptions ❤️ - luckily I use shared Github Action workflows, so only needed to |
Thanks for your feedback. We hear your comments and suggestions, and as always, will take them into account for future changes. We work to make this change as simple and smooth as possible, with an easy-to-follow approach to bypass the error. Why did we make this a minor version release?Bitnami's policy for versioning Helm charts is to release a major version for anything that could break the service upgrade or persistent data:
The supply chain integrity check only affects an optional property of the chart for users who are overwriting the path of the images. It does not affect the previously deployed application during the upgrade; the error is thrown when evaluating the template. Why we introduced a supply chain integrity checkThe Helm charts have included a warning since May ‘24. We have seen multiple instances where users substituting non-Bitnami or modified images experienced serious security problems, which is why we introduced this check and a simple workaround that ensures awareness when non-standard images are substituted. Commercial Bitnami images are available for business use cases.We made this change concurrently with the release of our commercial product, Bitnami Premium. Bitnami Premium raises the security level for Bitnami Premium and Tanzu Application Catalog with SLSA level 3 in-toto attestations and cryptographic signatures for images and charts. Those security improvements make it easier to mirror or cache commercial Bitnami containers and Helm charts without setting a flag during deployment. You can read more in our blog post. |
This change breaks the service upgrade, as the the Helm chart's templates no longer complete evaluation when using values that previously compatible with the deployed configuration. This isn't a minor version update of the Helm chart. |
It appears that this breaking change was introduced to align with, and potentially promote, your new commercial offering rather than serving a purely technical or user-driven purpose.
Claiming that this change enhances security is not entirely accurate. Using the default image does not inherently guarantee the integrity of the deployed image, as true verification can only be achieved by validating its hash. Likewise, using a different image does not necessarily result in a less secure deployment. I therefore see the name of this parameter as counterintuitive and misleading. |
what about the official |
If I enable |
I'd suggest to follow the sem version policy strictly. If this is a minor version release, the default value of |
Helper checks image URL, breaking all mirrors and pull-through caches, even if used image is the official one. |
maybe instead of declaring everything except bitnami as insecure maybe let us decide which sources are trustworthy? |
There seems to be no interest from Bitnami to change anything... This is obviously a push for Bitnami premium. It's obviously fine that you want to profit from your work, but stating that non-bitnami repositories are, by default, unsafe and a security flaw is not only wrong but ethically questionable. With no changes to this policy don't expect me to buy anything from Bitnami. I know I'm just a drop in the bucket, but since our words are not being listened to, maybe our money will. |
This is the first step in monetizing. We already have examples of this strategy. Open source has started to be more like a temporary mask until they hook you, and after that, you are forced to pay, already hooked. I have nothing against making money, but don't use the principle of "open source" and then you force users to use their card. More and more I want to shift to the old school where open source was driven 100% by communities and not companies. I see big companies getting into the open source (and I was happy about it) but I was so naive! I think they want to control the open source tro' all kinds of "best practices and security"! Risks will always be. Every time you step out of your house you increase the risk of happening something to you. This means I don't need to step out of my house ? Shame on you! No worries I will build my own charts, I don't need yours! Like this, I will keep my freedom! |
It's all okay guys... just add |
On December 10th, 2024, we released a minor version for every Helm chart in the Bitnami catalog. This minor version introduced a new security mechanism to detect the usage of non-standard containers while installing or upgrading Helm chart releases.
Replacing the original containers that are shipped with the charts will result in installation errors like the one below:
FAQ
Why did Bitnami introduce this mechanism?
There are several reasons to introduce this change:
Can I use different image tags?
Yes, replacing default image tags is considered a valid use case. For instance, a user might be interested in using the Bitnami PostgreSQL chart using Bitnami PostgreSQL 15.x container images (note the chart uses 16.x images by default).
That said, it is expected that you see some warnings on the chart notes given that the specific chart & image combination wasn't tested and validated by Bitnami on any platform.
Can I skip the security verification?
Yes, we introduced a new global parameter on every chart that can be used for that purpose, see:
At your own risk, you bypass the verification specifying the parameter adding the
--set global.security.allowInsecureImages=true
argument tohelm install
orhelm upgrade
commands or, alternatively, adding the block below to your values YAML file:Should I expect any issues upgrading my existing chart releases?
No issue is expected if you upgrade your existing releases using original container images. If you replace them, you'll have to skip the security verification.
Should I expect errors consuming Bitnami charts from mirror registries?
Yes. It is expected that you face installation errors while consuming Bitnami chart from mirror registries given the security mechanism will detect original images are not used. To continue using mirror registries, you'll have to skip the security verification.
I built my custom image extending a Bitnami container image, should I expect errors?
Yes. Custom images, even if they're extensions of original Bitnami container images, would be detected by the security mechanism and it is expected to face installation errors. To use your custom image, you'll have to skip the security verification at your own risk.
The text was updated successfully, but these errors were encountered: