From c3ab0687bbced2bcd048bbaa33d95218898b0f71 Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 27 Dec 2022 22:19:26 +0800 Subject: [PATCH] chore: update publicKey description (#5789) * update publicKey description Signed-off-by: ShutingZhao * update api doc Signed-off-by: ShutingZhao Signed-off-by: ShutingZhao --- api/kyverno/v1/image_verification_types.go | 9 +- charts/kyverno/templates/crds.yaml | 220 +++++++++++++++++--- config/crds/kyverno.io_clusterpolicies.yaml | 110 ++++++++-- config/crds/kyverno.io_policies.yaml | 110 ++++++++-- config/install.yaml | 220 +++++++++++++++++--- docs/user/crd/index.html | 9 +- 6 files changed, 600 insertions(+), 78 deletions(-) diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index e07e06a6fc..86a6fe2a36 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -127,9 +127,12 @@ type Attestor struct { type StaticKeyAttestor struct { // Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly // specified or can be a variable reference to a key specified in a ConfigMap (see - // https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each - // key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of - // attestors and the count is applied across the keys. + // https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + // elsewhere in the cluster by specifying it in the format "k8s:///". + // The named Secret must specify a key `cosign.pub` containing the public key used for + // verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + // When multiple keys are specified each key is processed as a separate staticKey entry + // (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"` // Specify signature algorithm for public keys. Supported values are sha256 and sha512 diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 39238ef1f2..4141f98321 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -5833,7 +5833,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6179,7 +6185,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6490,7 +6504,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -9085,7 +9105,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9450,7 +9478,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9773,7 +9809,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12188,7 +12231,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12519,7 +12568,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12830,7 +12887,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -15400,7 +15463,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -15765,7 +15836,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -16088,7 +16167,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -18946,7 +19032,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -19292,7 +19384,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -19603,7 +19703,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -22199,7 +22305,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -22564,7 +22678,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -22887,7 +23009,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -25303,7 +25432,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -25634,7 +25769,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -25945,7 +26088,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -28515,7 +28664,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -28880,7 +29037,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -29203,7 +29368,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 7a71da016a..bec83ef9b9 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2431,7 +2431,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -2777,7 +2783,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -3088,7 +3102,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -5683,7 +5703,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6048,7 +6076,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6371,7 +6407,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -8786,7 +8829,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9117,7 +9166,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9428,7 +9485,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -11998,7 +12061,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12363,7 +12434,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12686,7 +12765,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 03869eef67..a9e6fd9cb5 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2432,7 +2432,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -2778,7 +2784,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -3089,7 +3103,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -5685,7 +5705,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6050,7 +6078,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6373,7 +6409,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -8789,7 +8832,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9120,7 +9169,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9431,7 +9488,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -12001,7 +12064,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12366,7 +12437,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12689,7 +12768,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) diff --git a/config/install.yaml b/config/install.yaml index 2165826a54..bb494ca738 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -5904,7 +5904,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6250,7 +6256,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -6561,7 +6575,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -9156,7 +9176,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9521,7 +9549,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -9844,7 +9880,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12259,7 +12302,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12590,7 +12639,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -12901,7 +12958,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -15471,7 +15534,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -15836,7 +15907,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -16159,7 +16238,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -19019,7 +19105,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -19365,7 +19457,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -19676,7 +19776,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -22272,7 +22378,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -22637,7 +22751,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -22960,7 +23082,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -25376,7 +25505,13 @@ spec: The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/). + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -25707,7 +25842,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -26018,7 +26161,13 @@ spec: keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within @@ -28588,7 +28737,15 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -28953,7 +29110,15 @@ spec: keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) @@ -29276,7 +29441,14 @@ spec: signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/). + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 205c5703a1..c9ec9e3242 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -3723,9 +3723,12 @@ string

Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see -https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each -key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of -attestors and the count is applied across the keys.

+https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret +elsewhere in the cluster by specifying it in the format “k8s:///”. +The named Secret must specify a key cosign.pub containing the public key used for +verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). +When multiple keys are specified each key is processed as a separate staticKey entry +(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.