mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733)

Browse source 
Signed-off-by: Pratik Shah <pratik@infracloud.io>

Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
This commit is contained in:
Pratik Shah 2022-10-14 15:10:46 +05:30 committed by GitHub
parent 064980bd9a
commit caab013a86
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 1501 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
api/kyverno/v1/image_verification_test.go
View file

@ -121,7 +121,7 @@ func Test_ImageVerification(t *testing.T) {
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
i.Attestors[0].Entries[0].Keys, "A key is required"),
i.Attestors[0].Entries[0].Keys, "A public key, kms key or secret is required"),
}
},
},

19
api/kyverno/v1/image_verification_types.go
View file

@ -136,6 +136,13 @@ type StaticKeyAttestor struct {
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
// KMS provides the URI to the public key stored in a Key Management System. See:
// https://github.com/sigstore/cosign/blob/main/KMS.md
KMS string `json:"kms,omitempty" yaml:"kms,omitempty"`
// Reference to a Secret resource that contains a public key
Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked. If an empty object is provided the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
@ -143,6 +150,14 @@ type StaticKeyAttestor struct {
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
}
type SecretReference struct {
// name of the secret
Name string `json:"name" yaml:"name"`
// namespace name in which secret is created
Namespace string `json:"namespace" yaml:"namespace"`
}
type CertificateAttestor struct {
// Certificate is an optional PEM encoded public certificate.
// +kubebuilder:validation:Optional
@ -306,8 +321,8 @@ func AttestorSetUnmarshal(o *apiextv1.JSON) (*AttestorSet, error) {
}
func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList) {
if ska.PublicKeys == "" {
errs = append(errs, field.Invalid(path, ska, "A key is required"))
if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
}
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))

20
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -1237,6 +1237,21 @@ func (in *Rule) DeepCopy() *Rule {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecretReference) DeepCopyInto(out *SecretReference) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
func (in *SecretReference) DeepCopy() *SecretReference {
if in == nil {
return nil
}
out := new(SecretReference)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Spec) DeepCopyInto(out *Spec) {
*out = *in
@ -1294,6 +1309,11 @@ func (in *Spec) DeepCopy() *Spec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor) {
*out = *in
if in.Secret != nil {
in, out := &in.Secret, &out.Secret
*out = new(SecretReference)
**out = **in
}
if in.Rekor != nil {
in, out := &in.Rekor, &out.Rekor
*out = new(CTLog)

2
api/kyverno/v2beta1/image_verification_test.go
View file

@ -64,7 +64,7 @@ func Test_ImageVerification(t *testing.T) {
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
i.Attestors[0].Entries[0].Keys, "A key is required"),
i.Attestors[0].Entries[0].Keys, "A public key, kms key or secret is required"),
}
},
},

256
charts/kyverno/templates/crds.yaml
View file

@ -2387,6 +2387,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -2399,6 +2402,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -2678,6 +2694,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -2690,6 +2709,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -4132,6 +4164,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -4144,6 +4179,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -4423,6 +4471,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -4435,6 +4486,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -5828,6 +5892,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -5840,6 +5907,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -6109,6 +6189,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -6121,6 +6204,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -7548,6 +7644,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -7560,6 +7659,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -7839,6 +7951,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -7851,6 +7966,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -9840,6 +9968,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -9852,6 +9983,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -10131,6 +10275,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -10143,6 +10290,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -11585,6 +11745,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -11597,6 +11760,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -11876,6 +12052,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -11888,6 +12067,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -13281,6 +13473,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -13293,6 +13488,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -13562,6 +13770,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -13574,6 +13785,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -15001,6 +15225,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -15013,6 +15240,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
@ -15292,6 +15532,9 @@ spec:
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
@ -15304,6 +15547,19 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512

164
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2262,6 +2262,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -2291,6 +2296,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -2704,6 +2724,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -2732,6 +2757,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -5129,6 +5169,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -5160,6 +5205,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -5583,6 +5644,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -5613,6 +5679,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -7799,6 +7881,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -7828,6 +7915,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -8226,6 +8328,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -8254,6 +8361,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -10626,6 +10748,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -10657,6 +10784,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -11080,6 +11223,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -11110,6 +11258,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm

164
config/crds/kyverno.io_policies.yaml
View file

@ -2263,6 +2263,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -2292,6 +2297,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -2705,6 +2725,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -2733,6 +2758,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -5131,6 +5171,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -5162,6 +5207,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -5585,6 +5646,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -5615,6 +5681,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -7802,6 +7884,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -7831,6 +7918,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -8229,6 +8331,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -8257,6 +8364,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -10629,6 +10751,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -10660,6 +10787,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -11083,6 +11226,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -11113,6 +11261,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm

328
config/install.yaml
View file

@ -3556,6 +3556,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -3585,6 +3590,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -3998,6 +4018,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -4026,6 +4051,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -6423,6 +6463,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -6454,6 +6499,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -6877,6 +6938,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -6907,6 +6973,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -9093,6 +9175,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -9122,6 +9209,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -9520,6 +9622,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -9548,6 +9655,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -11920,6 +12042,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -11951,6 +12078,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -12374,6 +12517,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -12404,6 +12552,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -15403,6 +15567,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -15432,6 +15601,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -15845,6 +16029,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -15873,6 +16062,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -18271,6 +18475,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -18302,6 +18511,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -18725,6 +18950,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -18755,6 +18985,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -20942,6 +21188,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -20971,6 +21222,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -21369,6 +21635,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -21397,6 +21668,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -23769,6 +24055,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -23800,6 +24091,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -24223,6 +24530,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -24253,6 +24565,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm

328
config/install_debug.yaml
View file

@ -3550,6 +3550,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -3579,6 +3584,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -3992,6 +4012,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -4020,6 +4045,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -6417,6 +6457,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -6448,6 +6493,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -6871,6 +6932,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -6901,6 +6967,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -9087,6 +9169,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -9116,6 +9203,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -9514,6 +9616,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -9542,6 +9649,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -11914,6 +12036,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -11945,6 +12072,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -12368,6 +12511,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -12398,6 +12546,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -15394,6 +15558,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -15423,6 +15592,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -15836,6 +16020,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -15864,6 +16053,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -18262,6 +18466,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -18293,6 +18502,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -18716,6 +18941,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -18746,6 +18976,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -20933,6 +21179,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image signatures.
@ -20962,6 +21213,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -21360,6 +21626,11 @@ spec:
description: Keys specifies one or more public
keys
properties:
kms:
description: 'KMS provides the URI to
the public key stored in a Key Management
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public
keys used to verify image signatures.
@ -21388,6 +21659,21 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret resource
that contains a public key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in which
secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -23760,6 +24046,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -23791,6 +24082,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name
in which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
@ -24214,6 +24521,11 @@ spec:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a Key
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
@ -24244,6 +24556,22 @@ spec:
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: name of the secret
type: string
namespace:
description: namespace name in
which secret is created
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm

66
docs/crd/v1/index.html
View file

@ -3205,6 +3205,47 @@ Generation
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.SecretReference">SecretReference
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.StaticKeyAttestor">StaticKeyAttestor</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>name</code><br/>
<em>
string
</em>
</td>
<td>
<p>name of the secret</p>
</td>
</tr>
<tr>
<td>
<code>namespace</code><br/>
<em>
string
</em>
</td>
<td>
<p>namespace name in which secret is created</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Spec">Spec
</h3>
<p>
@ -3416,6 +3457,31 @@ string
</tr>
<tr>
<td>
<code>kms</code><br/>
<em>
string
</em>
</td>
<td>
<p>KMS provides the URI to the public key stored in a Key Management System. See:
<a href="https://github.com/sigstore/cosign/blob/main/KMS.md">https://github.com/sigstore/cosign/blob/main/KMS.md</a></p>
</td>
</tr>
<tr>
<td>
<code>secret</code><br/>
<em>
<a href="#kyverno.io/v1.SecretReference">
SecretReference
</a>
</em>
</td>
<td>
<p>Reference to a Secret resource that contains a public key</p>
</td>
</tr>
<tr>
<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">

7
pkg/engine/imageVerify.go
View file

@ -425,7 +425,14 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageV
if attestor.Keys != nil {
path = path + ".keys"
if attestor.Keys.PublicKeys != "" {
opts.Key = attestor.Keys.PublicKeys
} else if attestor.Keys.Secret != nil {
opts.Key = fmt.Sprintf("k8s://%s/%s", attestor.Keys.Secret.Namespace,
attestor.Keys.Secret.Name)
} else if attestor.Keys.KMS != "" {
opts.Key = attestor.Keys.KMS
}
if attestor.Keys.Rekor != nil {
opts.RekorURL = attestor.Keys.Rekor.URL
}

50
pkg/engine/imageVerify_test.go
View file

@ -535,26 +535,62 @@ func Test_NestedAttestors(t *testing.T) {
}
func Test_ExpandKeys(t *testing.T) {
as := expandStaticKeys(createStaticKeyAttestorSet(""))
as := expandStaticKeys(createStaticKeyAttestorSet("", true, false, false))
assert.Equal(t, 1, len(as.Entries))
as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey))
as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey, true, false, false))
assert.Equal(t, 1, len(as.Entries))
as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey + testOtherKey + testOtherKey))
as = expandStaticKeys(createStaticKeyAttestorSet(testOtherKey+testOtherKey+testOtherKey, true, false, false))
assert.Equal(t, 3, len(as.Entries))
as = expandStaticKeys(createStaticKeyAttestorSet("", false, true, false))
assert.Equal(t, 1, len(as.Entries))
assert.DeepEqual(t, &kyverno.SecretReference{Name: "testsecret", Namespace: "default"},
as.Entries[0].Keys.Secret)
as = expandStaticKeys(createStaticKeyAttestorSet("", false, false, true))
assert.Equal(t, 1, len(as.Entries))
assert.DeepEqual(t, "gcpkms://projects/test_project_id/locations/asia-south1/keyRings/test_key_ring_name/cryptoKeys/test_key_name/versions/1", as.Entries[0].Keys.KMS)
as = expandStaticKeys((createStaticKeyAttestorSet(testOtherKey, true, true, false)))
assert.Equal(t, 2, len(as.Entries))
assert.DeepEqual(t, testOtherKey, as.Entries[0].Keys.PublicKeys)
assert.DeepEqual(t, &kyverno.SecretReference{Name: "testsecret", Namespace: "default"},
as.Entries[1].Keys.Secret)
}
func createStaticKeyAttestorSet(s string) kyverno.AttestorSet {
return kyverno.AttestorSet{
Entries: []kyverno.Attestor{
{
func createStaticKeyAttestorSet(s string, withPublicKey, withSecret, withKMS bool) kyverno.AttestorSet {
var entries []kyverno.Attestor
if withPublicKey {
attestor := kyverno.Attestor{
Keys: &kyverno.StaticKeyAttestor{
PublicKeys: s,
},
}
entries = append(entries, attestor)
}
if withSecret {
attestor := kyverno.Attestor{
Keys: &kyverno.StaticKeyAttestor{
Secret: &kyverno.SecretReference{
Name: "testsecret",
Namespace: "default",
},
},
}
entries = append(entries, attestor)
}
if withKMS {
kmsKey := "gcpkms://projects/test_project_id/locations/asia-south1/keyRings/test_key_ring_name/cryptoKeys/test_key_name/versions/1"
attestor := kyverno.Attestor{
Keys: &kyverno.StaticKeyAttestor{
KMS: kmsKey,
},
}
entries = append(entries, attestor)
}
return kyverno.AttestorSet{Entries: entries}
}
func Test_ChangedAnnotation(t *testing.T) {

27
test/e2e/verifyimages/config.go
View file

@ -5,7 +5,10 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
)
var taskGVR = e2e.GetGVR("tekton.dev", "v1beta1", "tasks")
var (
taskGVR = e2e.GetGVR("tekton.dev", "v1beta1", "tasks")
podGVR = e2e.GetGVR("", "v1", "pods")
)
var VerifyImagesTests = []struct {
// TestName - Name of the Test
@ -80,4 +83,26 @@ var VerifyImagesTests = []struct {
ResourceRaw: tektonTaskVerified,
MustSucceed: true,
},
{
// Success case to check secret in attestors.entries.keys
TestName: "secret-in-keys-success",
PolicyName: "secret-in-keys",
PolicyRaw: kyvernoPolicyWithSecretInKeys,
ResourceName: "test-secret-pod",
ResourceNamespace: "test-verify-images",
ResourceGVR: podGVR,
ResourceRaw: secretPodResourceSuccess,
MustSucceed: true,
},
{
// Failed case to check secret in attestors.entries.keys
TestName: "secret-in-keys-failure",
PolicyName: "secret-in-keys",
PolicyRaw: kyvernoPolicyWithSecretInKeys,
ResourceName: "test-secret-pod",
ResourceNamespace: "test-verify-images",
ResourceGVR: podGVR,
ResourceRaw: secretPodResourceFailed,
MustSucceed: false,
},
}

63
test/e2e/verifyimages/resources.go
View file

@ -61,6 +61,69 @@ spec:
image: ghcr.io/sigstore/cosign/cosign
`)
// not adding cosign.key and cosign.password as we only need cosign.pub
var secretResource = []byte(`
apiVersion: v1
kind: Secret
metadata:
name: testsecret
namespace: test-verify-images
data:
cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
type: Opaque
`)
var secretPodResourceSuccess = []byte(`
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed
name: test-secret
`)
var secretPodResourceFailed = []byte(`
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:unsigned
name: test-secret
`)
var kyvernoPolicyWithSecretInKeys = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secret-in-keys
spec:
validationFailureAction: enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: check-secret-in-keys
match:
resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- entries:
- keys:
secret:
name: testsecret
namespace: test-verify-images
`)
var kyvernoTaskPolicyWithSimpleExtractor = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy

17
test/e2e/verifyimages/verifyimages_test.go
View file

@ -21,6 +21,8 @@ var (
policyGVR = e2e.GetGVR("kyverno.io", "v1", "clusterpolicies")
// Namespace GVR
namespaceGVR = e2e.GetGVR("", "v1", "namespaces")
// Secret GVR
secretGVR = e2e.GetGVR("", "v1", "secrets")
crdGVR = e2e.GetGVR("apiextensions.k8s.io", "v1", "customresourcedefinitions")
@ -84,7 +86,8 @@ func TestImageVerify(t *testing.T) {
_ = e2eClient.DeleteClusteredResource(namespaceGVR, test.ResourceNamespace)
By("Wait Till Deletion of Namespace...")
err = e2e.GetWithRetry(1*time.Second, 15, func() error {
// deleting test-secret-pod might take some time. hence increasing timeout period
err = e2e.GetWithRetry(20*time.Second, 15, func() error {
_, err := e2eClient.GetClusteredResource(namespaceGVR, test.ResourceNamespace)
if err != nil {
return nil
@ -120,6 +123,12 @@ func TestImageVerify(t *testing.T) {
})
Expect(err).NotTo(HaveOccurred())
if test.PolicyName == "secret-in-keys" {
By("Creating testsecret...")
_, err := e2eClient.CreateNamespacedResourceYaml(secretGVR, test.ResourceNamespace, "testsecret", secretResource)
Expect(err).NotTo(HaveOccurred())
}
Expect(e2eClient.ClusterPolicyReady(test.PolicyName)).To(BeTrue())
By("Creating Resource...")
@ -138,7 +147,8 @@ func TestImageVerify(t *testing.T) {
// Clear Namespace
e2eClient.DeleteClusteredResource(namespaceGVR, nspace)
// Wait Till Deletion of Namespace
e2e.GetWithRetry(time.Duration(1*time.Second), 15, func() error {
// deleting test-secret-pod might take some time. hence increasing timeout period
e2e.GetWithRetry(time.Duration(20*time.Second), 15, func() error {
_, err := e2eClient.GetClusteredResource(namespaceGVR, nspace)
if err != nil {
return nil
@ -149,9 +159,8 @@ func TestImageVerify(t *testing.T) {
By(fmt.Sprintf("Test %s Completed \n\n\n", test.TestName))
}
//CleanUp CRDs
// CleanUp CRDs
e2eClient.DeleteClusteredResource(crdGVR, crdName)
}
func Test_BoolFields(t *testing.T) {