mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

chore: update publicKey description (#5789)

Browse source 
* update publicKey description

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api doc

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2022-12-27 22:19:26 +08:00 committed by GitHub
parent 631a8e1796
commit c3ab0687bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 600 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
api/kyverno/v1/image_verification_types.go
View file

@ -127,9 +127,12 @@ type Attestor struct {
type StaticKeyAttestor struct {
// Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
// specified or can be a variable reference to a key specified in a ConfigMap (see
// https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each
// key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of
// attestors and the count is applied across the keys.
// https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
// elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
// The named Secret must specify a key `cosign.pub` containing the public key used for
// verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
// When multiple keys are specified each key is processed as a separate staticKey entry
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha256 and sha512

220
charts/kyverno/templates/crds.yaml
View file

@ -5833,7 +5833,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -6179,7 +6185,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -6490,7 +6504,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -9085,7 +9105,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -9450,7 +9478,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -9773,7 +9809,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12188,7 +12231,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -12519,7 +12568,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12830,7 +12887,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -15400,7 +15463,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -15765,7 +15836,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -16088,7 +16167,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -18946,7 +19032,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -19292,7 +19384,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -19603,7 +19703,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -22199,7 +22305,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -22564,7 +22678,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -22887,7 +23009,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -25303,7 +25432,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -25634,7 +25769,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -25945,7 +26088,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -28515,7 +28664,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -28880,7 +29037,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -29203,7 +29368,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)

110
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2431,7 +2431,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -2777,7 +2783,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -3088,7 +3102,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -5683,7 +5703,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -6048,7 +6076,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -6371,7 +6407,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -8786,7 +8829,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -9117,7 +9166,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -9428,7 +9485,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -11998,7 +12061,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12363,7 +12434,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -12686,7 +12765,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)

110
config/crds/kyverno.io_policies.yaml
View file

@ -2432,7 +2432,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -2778,7 +2784,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -3089,7 +3103,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -5685,7 +5705,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -6050,7 +6078,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -6373,7 +6409,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -8789,7 +8832,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -9120,7 +9169,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -9431,7 +9488,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -12001,7 +12064,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12366,7 +12437,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -12689,7 +12768,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)

220
config/install.yaml
View file

@ -5904,7 +5904,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -6250,7 +6256,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -6561,7 +6575,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -9156,7 +9176,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -9521,7 +9549,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -9844,7 +9880,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12259,7 +12302,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -12590,7 +12639,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -12901,7 +12958,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -15471,7 +15534,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -15836,7 +15907,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -16159,7 +16238,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -19019,7 +19105,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -19365,7 +19457,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -19676,7 +19776,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -22272,7 +22378,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -22637,7 +22751,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -22960,7 +23082,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -25376,7 +25505,13 @@ spec:
The keys can be directly specified
or can be a variable reference to
a key specified in a ConfigMap (see
https://kyverno.io/docs/writing-policies/variables/).
https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster by
specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys)
@ -25707,7 +25842,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -26018,7 +26161,13 @@ spec:
keys used to verify image signatures.
The keys can be directly specified or
can be a variable reference to a key
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying
it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a key
`cosign.pub` containing the public key
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified each
key is processed as a separate staticKey
entry (.attestors[*].entries.keys) within
@ -28588,7 +28737,15 @@ spec:
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
@ -28953,7 +29110,15 @@ spec:
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format
"k8s://<namespace>/<secret_name>".
The named Secret must specify
a key `cosign.pub` containing
the public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
@ -29276,7 +29441,14 @@ spec:
signatures. The keys can be directly
specified or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
(see https://kyverno.io/docs/writing-policies/variables/),
or reference a standard Kubernetes
Secret elsewhere in the cluster
by specifying it in the format "k8s://<namespace>/<secret_name>".
The named Secret must specify a
key `cosign.pub` containing the
public key used for verification,
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)

9
docs/user/crd/index.html
View file

@ -3723,9 +3723,12 @@ string
<td>
<p>Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
specified or can be a variable reference to a key specified in a ConfigMap (see
<a href="https://kyverno.io/docs/writing-policies/variables/)">https://kyverno.io/docs/writing-policies/variables/)</a>. When multiple keys are specified each
key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of
attestors and the count is applied across the keys.</p>
<a href="https://kyverno.io/docs/writing-policies/variables/)">https://kyverno.io/docs/writing-policies/variables/)</a>, or reference a standard Kubernetes Secret
elsewhere in the cluster by specifying it in the format &ldquo;k8s://<namespace>/<secret_name>&rdquo;.
The named Secret must specify a key <code>cosign.pub</code> containing the public key used for
verification, (see <a href="https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret">https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret</a>).
When multiple keys are specified each key is processed as a separate staticKey entry
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.</p>
</td>
</tr>
<tr>