mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: support attestations with multiple signatures (#5409)

Browse source 
* add new attribute ".verifyImages.attestations.attestors"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Update CRDs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* support multiple subjects for attestations

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - fix entries check; - refactors code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix linter

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - allow both attestors and attestations; - make attestations.attestor optional

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix panic

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove the invalid test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix empty attestor

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add cleanup steps

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Update api/kyverno/v1/image_verification_types.go

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
shuting 2022-12-02 06:09:44 +08:00 committed by GitHub
parent 56c1585cb1
commit ef06833613
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
62 changed files with 6521 additions and 108 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -487,7 +487,7 @@ verify-helm: codegen-helm-all ## Check Helm charts are up to date
@echo Checking helm charts are up to date... >&2
@git --no-pager diff charts
@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-helm-all".' >&2
@echo 'To correct this, locally run "make codegen-helm", commit the changes, and re-run tests.' >&2
@echo 'To correct this, locally run "make codegen-helm-all", commit the changes, and re-run tests.' >&2
@git diff --quiet --exit-code charts
.PHONY: verify-codegen

5
api/kyverno/v1/image_verification_test.go
View file

@ -174,11 +174,6 @@ func Test_ImageVerification(t *testing.T) {
},
},
},
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path, i, "An attestor is required"),
}
},
},
{
name: "multiple entries",

34
api/kyverno/v1/image_verification_types.go
View file

@ -213,6 +213,10 @@ type Attestation struct {
// PredicateType defines the type of Predicate contained within the Statement.
PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"`
// Attestors specify the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
// the attestation check is satisfied as long there are predicates that match the predicate type.
// +optional
@ -227,11 +231,10 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
errs = append(errs, field.Invalid(path, iv, "An image reference is required"))
}
hasAttestors := len(copy.Attestors) > 0
hasAttestations := len(copy.Attestations) > 0
if hasAttestations && !hasAttestors {
errs = append(errs, field.Invalid(path, iv, "An attestor is required"))
asPath := path.Child("attestations")
for i, attestation := range copy.Attestations {
attestationErrors := attestation.Validate(asPath.Index(i))
errs = append(errs, attestationErrors...)
}
attestorsPath := path.Child("attestors")
@ -243,6 +246,19 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
return errs
}
func (a *Attestation) Validate(path *field.Path) (errs field.ErrorList) {
if len(a.Attestors) == 0 {
return
}
attestorsPath := path.Child("attestors")
for i, as := range a.Attestors {
attestorErrors := as.Validate(attestorsPath.Index(i))
errs = append(errs, attestorErrors...)
}
return errs
}
func (as *AttestorSet) Validate(path *field.Path) (errs field.ErrorList) {
return validateAttestorSet(as, path)
}
@ -382,7 +398,13 @@ func (iv *ImageVerification) Convert() *ImageVerification {
}
attestorSet.Entries = append(attestorSet.Entries, attestor)
copy.Attestors = append(copy.Attestors, attestorSet)
if len(iv.Attestations) > 0 {
for i := range iv.Attestations {
copy.Attestations[i].Attestors = append(copy.Attestations[i].Attestors, attestorSet)
}
} else {
copy.Attestors = append(copy.Attestors, attestorSet)
}
}
copy.Attestations = iv.Attestations

7
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -91,6 +91,13 @@ func (in *AnyAllConditions) DeepCopy() *AnyAllConditions {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Attestation) DeepCopyInto(out *Attestation) {
*out = *in
if in.Attestors != nil {
in, out := &in.Attestors, &out.Attestors
*out = make([]AttestorSet, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]AnyAllConditions, len(*in))

5
api/kyverno/v2beta1/image_verification_test.go
View file

@ -117,11 +117,6 @@ func Test_ImageVerification(t *testing.T) {
},
},
},
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path, i, "An attestor is required"),
}
},
},
}

9
api/kyverno/v2beta1/image_verification_types.go
View file

@ -55,11 +55,10 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
errs = append(errs, field.Invalid(path, iv, "An image reference is required"))
}
hasAttestors := len(copy.Attestors) > 0
hasAttestations := len(copy.Attestations) > 0
if hasAttestations && !hasAttestors {
errs = append(errs, field.Invalid(path, iv, "An attestor is required"))
asPath := path.Child("attestations")
for i, attestation := range copy.Attestations {
attestationErrors := attestation.Validate(asPath.Index(i))
errs = append(errs, attestationErrors...)
}
attestorsPath := path.Child("attestors")

872
charts/kyverno/templates/crds.yaml
View file

@ -4514,6 +4514,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -6293,6 +6402,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -8051,6 +8269,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -9815,6 +10142,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -12185,6 +12621,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -13964,6 +14509,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -15722,6 +16376,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@ -17486,6 +18249,115 @@ spec:
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies one or more certificates
properties:
cert:
description: Certificate is an optional PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is an optional PEM encoded set of certificates used to verify
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions are certificate-extensions used for keyless signing.
type: object
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
type: string
subject:
description: Subject is the verified identity used for keyless signing, for example the email address
type: string
type: object
keys:
description: Keys specifies one or more public keys
properties:
kms:
description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
type: string
rekor:
description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
properties:
url:
description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret resource that contains a public key
properties:
name:
description: Name of the secret. The provided secret must contain a key named cosign.pub.
type: string
namespace:
description: Namespace name where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:

802
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2512,6 +2512,198 @@ spec:
signed attestations from the OCI registry and decodes
them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
(i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If the
count is null, all entries must match (a
logical AND). If the count is 1, at least
one entry must match (a logical OR). If
the count contains a value N, then N must
be less than or equal to the size of entries,
and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static key,
attributes for keyless verification, or
a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for
image verification. Every specified
key-value pair must exist and match
in the verified payload. The payload
may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet
used to specify a more complex set
of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is an optional
PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is
an optional PEM encoded set of
certificates used to verify
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute
used to verify a Sigstore keyless
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions used
for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked and a root
certificate chain is expected
instead. If an empty object is
provided the public instance of
Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted root
certificates. If not provided,
the system roots are used.
type: string
subject:
description: Subject is the verified
identity used for keyless signing,
for example the email address
type: string
type: object
keys:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
within the set of attestors and
the count is applied across the
keys.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: Name of the secret.
The provided secret must contain
a key named cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use for
signatures and attestations that match
this rule. If specified Repository
will override other OCI image repository
locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -5432,6 +5624,215 @@ spec:
fetches signed attestations from the OCI registry
and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If
the count is null, all entries must
match (a logical AND). If the count
is 1, at least one entry must match
(a logical OR). If the count contains
a value N, then N must be less than
or equal to the size of entries, and
at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static
key, attributes for keyless verification,
or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used
for image verification. Every
specified key-value pair must
exist and match in the verified
payload. The payload may contain
other key-value pairs.
type: object
attestor:
description: Attestor is a nested
AttestorSet used to specify a
more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is
an optional PEM encoded public
certificate.
type: string
certChain:
description: CertificateChain
is an optional PEM encoded
set of certificates used to
verify
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of
attribute used to verify a Sigstore
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions
used for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked and a root
certificate chain is expected
instead. If an empty object
is provided the public instance
of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted
root certificates. If not
provided, the system roots
are used.
type: string
subject:
description: Subject is the
verified identity used for
keyless signing, for example
the email address
type: string
type: object
keys:
description: Keys specifies one
or more public keys
properties:
kms:
description: 'KMS provides the
URI to the public key stored
in a Key Management System.
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of
X.509 public keys used to
verify image signatures. The
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
within the set of attestors
and the count is applied across
the keys.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a
Secret resource that contains
a public key
properties:
name:
description: Name of the
secret. The provided secret
must contain a key named
cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use
for signatures and attestations
that match this rule. If specified
Repository will override other
OCI image repository locations
for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -8166,6 +8567,198 @@ spec:
signed attestations from the OCI registry and decodes
them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
(i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If the
count is null, all entries must match (a
logical AND). If the count is 1, at least
one entry must match (a logical OR). If
the count contains a value N, then N must
be less than or equal to the size of entries,
and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static key,
attributes for keyless verification, or
a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for
image verification. Every specified
key-value pair must exist and match
in the verified payload. The payload
may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet
used to specify a more complex set
of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is an optional
PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is
an optional PEM encoded set of
certificates used to verify
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute
used to verify a Sigstore keyless
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions used
for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked and a root
certificate chain is expected
instead. If an empty object is
provided the public instance of
Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted root
certificates. If not provided,
the system roots are used.
type: string
subject:
description: Subject is the verified
identity used for keyless signing,
for example the email address
type: string
type: object
keys:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
within the set of attestors and
the count is applied across the
keys.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: Name of the secret.
The provided secret must contain
a key named cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use for
signatures and attestations that match
this rule. If specified Repository
will override other OCI image repository
locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -11061,6 +11654,215 @@ spec:
fetches signed attestations from the OCI registry
and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If
the count is null, all entries must
match (a logical AND). If the count
is 1, at least one entry must match
(a logical OR). If the count contains
a value N, then N must be less than
or equal to the size of entries, and
at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static
key, attributes for keyless verification,
or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used
for image verification. Every
specified key-value pair must
exist and match in the verified
payload. The payload may contain
other key-value pairs.
type: object
attestor:
description: Attestor is a nested
AttestorSet used to specify a
more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is
an optional PEM encoded public
certificate.
type: string
certChain:
description: CertificateChain
is an optional PEM encoded
set of certificates used to
verify
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of
attribute used to verify a Sigstore
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions
used for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked and a root
certificate chain is expected
instead. If an empty object
is provided the public instance
of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted
root certificates. If not
provided, the system roots
are used.
type: string
subject:
description: Subject is the
verified identity used for
keyless signing, for example
the email address
type: string
type: object
keys:
description: Keys specifies one
or more public keys
properties:
kms:
description: 'KMS provides the
URI to the public key stored
in a Key Management System.
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of
X.509 public keys used to
verify image signatures. The
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
within the set of attestors
and the count is applied across
the keys.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a
Secret resource that contains
a public key
properties:
name:
description: Name of the
secret. The provided secret
must contain a key named
cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use
for signatures and attestations
that match this rule. If specified
Repository will override other
OCI image repository locations
for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified

802
config/crds/kyverno.io_policies.yaml
View file

@ -2513,6 +2513,198 @@ spec:
signed attestations from the OCI registry and decodes
them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
(i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If the
count is null, all entries must match (a
logical AND). If the count is 1, at least
one entry must match (a logical OR). If
the count contains a value N, then N must
be less than or equal to the size of entries,
and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static key,
attributes for keyless verification, or
a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for
image verification. Every specified
key-value pair must exist and match
in the verified payload. The payload
may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet
used to specify a more complex set
of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is an optional
PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is
an optional PEM encoded set of
certificates used to verify
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute
used to verify a Sigstore keyless
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions used
for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked and a root
certificate chain is expected
instead. If an empty object is
provided the public instance of
Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted root
certificates. If not provided,
the system roots are used.
type: string
subject:
description: Subject is the verified
identity used for keyless signing,
for example the email address
type: string
type: object
keys:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
within the set of attestors and
the count is applied across the
keys.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: Name of the secret.
The provided secret must contain
a key named cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use for
signatures and attestations that match
this rule. If specified Repository
will override other OCI image repository
locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -5434,6 +5626,215 @@ spec:
fetches signed attestations from the OCI registry
and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If
the count is null, all entries must
match (a logical AND). If the count
is 1, at least one entry must match
(a logical OR). If the count contains
a value N, then N must be less than
or equal to the size of entries, and
at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static
key, attributes for keyless verification,
or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used
for image verification. Every
specified key-value pair must
exist and match in the verified
payload. The payload may contain
other key-value pairs.
type: object
attestor:
description: Attestor is a nested
AttestorSet used to specify a
more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is
an optional PEM encoded public
certificate.
type: string
certChain:
description: CertificateChain
is an optional PEM encoded
set of certificates used to
verify
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of
attribute used to verify a Sigstore
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions
used for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked and a root
certificate chain is expected
instead. If an empty object
is provided the public instance
of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted
root certificates. If not
provided, the system roots
are used.
type: string
subject:
description: Subject is the
verified identity used for
keyless signing, for example
the email address
type: string
type: object
keys:
description: Keys specifies one
or more public keys
properties:
kms:
description: 'KMS provides the
URI to the public key stored
in a Key Management System.
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of
X.509 public keys used to
verify image signatures. The
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
within the set of attestors
and the count is applied across
the keys.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a
Secret resource that contains
a public key
properties:
name:
description: Name of the
secret. The provided secret
must contain a key named
cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use
for signatures and attestations
that match this rule. If specified
Repository will override other
OCI image repository locations
for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -8169,6 +8570,198 @@ spec:
signed attestations from the OCI registry and decodes
them into a list of Statements.
properties:
attestors:
description: Attestors specify the required attestors
(i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If the
count is null, all entries must match (a
logical AND). If the count is 1, at least
one entry must match (a logical OR). If
the count contains a value N, then N must
be less than or equal to the size of entries,
and at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static key,
attributes for keyless verification, or
a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for
image verification. Every specified
key-value pair must exist and match
in the verified payload. The payload
may contain other key-value pairs.
type: object
attestor:
description: Attestor is a nested AttestorSet
used to specify a more complex set
of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is an optional
PEM encoded public certificate.
type: string
certChain:
description: CertificateChain is
an optional PEM encoded set of
certificates used to verify
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of attribute
used to verify a Sigstore keyless
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions used
for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked and a root
certificate chain is expected
instead. If an empty object is
provided the public instance of
Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted root
certificates. If not provided,
the system roots are used.
type: string
subject:
description: Subject is the verified
identity used for keyless signing,
for example the email address
type: string
type: object
keys:
description: Keys specifies one or more
public keys
properties:
kms:
description: 'KMS provides the URI
to the public key stored in a
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of X.509
public keys used to verify image
signatures. The keys can be directly
specified or can be a variable
reference to a key specified in
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a separate
staticKey entry (.attestors[*].entries.keys)
within the set of attestors and
the count is applied across the
keys.
type: string
rekor:
description: Rekor provides configuration
for the Rekor transparency log
service. If the value is nil,
Rekor is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the address
of the transparency log. Defaults
to the public log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a Secret
resource that contains a public
key
properties:
name:
description: Name of the secret.
The provided secret must contain
a key named cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use for
signatures and attestations that match
this rule. If specified Repository
will override other OCI image repository
locations for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified
@ -11064,6 +11657,215 @@ spec:
fetches signed attestations from the OCI registry
and decodes them into a list of Statements.
properties:
attestors:
description: Attestors specify the required
attestors (i.e. authorities)
items:
properties:
count:
description: Count specifies the required
number of entries that must match. If
the count is null, all entries must
match (a logical AND). If the count
is 1, at least one entry must match
(a logical OR). If the count contains
a value N, then N must be less than
or equal to the size of entries, and
at least N entries must match.
minimum: 1
type: integer
entries:
description: Entries contains the available
attestors. An attestor can be a static
key, attributes for keyless verification,
or a nested attestor declaration.
items:
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used
for image verification. Every
specified key-value pair must
exist and match in the verified
payload. The payload may contain
other key-value pairs.
type: object
attestor:
description: Attestor is a nested
AttestorSet used to specify a
more complex set of match authorities
x-kubernetes-preserve-unknown-fields: true
certificates:
description: Certificates specifies
one or more certificates
properties:
cert:
description: Certificate is
an optional PEM encoded public
certificate.
type: string
certChain:
description: CertificateChain
is an optional PEM encoded
set of certificates used to
verify
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
type: object
keyless:
description: Keyless is a set of
attribute used to verify a Sigstore
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
properties:
additionalExtensions:
additionalProperties:
type: string
description: AdditionalExtensions
are certificate-extensions
used for keyless signing.
type: object
issuer:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked and a root
certificate chain is expected
instead. If an empty object
is provided the public instance
of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
roots:
description: Roots is an optional
set of PEM encoded trusted
root certificates. If not
provided, the system roots
are used.
type: string
subject:
description: Subject is the
verified identity used for
keyless signing, for example
the email address
type: string
type: object
keys:
description: Keys specifies one
or more public keys
properties:
kms:
description: 'KMS provides the
URI to the public key stored
in a Key Management System.
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
type: string
publicKeys:
description: Keys is a set of
X.509 public keys used to
verify image signatures. The
keys can be directly specified
or can be a variable reference
to a key specified in a ConfigMap
(see https://kyverno.io/docs/writing-policies/variables/).
When multiple keys are specified
each key is processed as a
separate staticKey entry (.attestors[*].entries.keys)
within the set of attestors
and the count is applied across
the keys.
type: string
rekor:
description: Rekor provides
configuration for the Rekor
transparency log service.
If the value is nil, Rekor
is not checked. If an empty
object is provided the public
instance of Rekor (https://rekor.sigstore.dev)
is used.
properties:
url:
description: URL is the
address of the transparency
log. Defaults to the public
log https://rekor.sigstore.dev.
type: string
required:
- url
type: object
secret:
description: Reference to a
Secret resource that contains
a public key
properties:
name:
description: Name of the
secret. The provided secret
must contain a key named
cosign.pub.
type: string
namespace:
description: Namespace name
where the Secret exists.
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512
type: string
type: object
repository:
description: Repository is an optional
alternate OCI repository to use
for signatures and attestations
that match this rule. If specified
Repository will override other
OCI image repository locations
for this Attestor.
type: string
type: object
type: array
type: object
type: array
conditions:
description: Conditions are used to verify attributes
within a Predicate. If no Conditions are specified

1604
config/install.yaml
View file

File diff suppressed because it is too large Load diff

1604
config/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

14
docs/user/crd/index.html
View file

@ -812,6 +812,19 @@ string
</tr>
<tr>
<td>
<code>attestors</code><br/>
<em>
<a href="#kyverno.io/v1.AttestorSet">
[]AttestorSet
</a>
</em>
</td>
<td>
<p>Attestors specify the required attestors (i.e. authorities)</p>
</td>
</tr>
<tr>
<td>
<code>conditions</code><br/>
<em>
<a href="#kyverno.io/v1.AnyAllConditions">
@ -929,6 +942,7 @@ If specified Repository will override other OCI image repository locations for t
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Attestation">Attestation</a>,
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>,
<a href="#kyverno.io/v1.Manifests">Manifests</a>,
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)

2
pkg/clients/dclient/discovery.go
View file

@ -146,7 +146,7 @@ func (c serverPreferredResources) findResource(apiVersion string, kind string) (
for _, resource := range serverResource.APIResources {
if resourceMatches(resource, kind, subresource) {
logger.V(4).Info("matched API resource to kind", "apiResource", resource, "kind", kind)
logger.V(6).Info("matched API resource to kind", "apiResource", resource, "kind", kind)
gv, err := schema.ParseGroupVersion(serverResource.GroupVersion)
if err != nil {
logger.Error(err, "failed to parse GV", "groupVersion", serverResource.GroupVersion)

125
pkg/cosign/cosign.go
View file

@ -48,6 +48,7 @@ type Options struct {
Repository string
RekorURL string
SignatureAlgorithm string
PredicateType string
}
type Response struct {
@ -57,16 +58,8 @@ type Response struct {
type CosignError struct{}
func Verify(opts Options) (*Response, error) {
if opts.FetchAttestations {
return fetchAttestations(opts)
} else {
return verifySignature(opts)
}
}
// verifySignature verifies that the image has the expected signatures
func verifySignature(opts Options) (*Response, error) {
// VerifySignature verifies that the image has the expected signatures
func VerifySignature(opts Options) (*Response, error) {
ref, err := name.ParseReference(opts.ImageRef)
if err != nil {
return nil, fmt.Errorf("failed to parse image %s", opts.ImageRef)
@ -106,9 +99,12 @@ func verifySignature(opts Options) (*Response, error) {
return nil, err
}
digest, err := extractDigest(opts.ImageRef, payload)
if err != nil {
return nil, err
var digest string
if opts.PredicateType == "" {
digest, err = extractDigest(opts.ImageRef, payload)
if err != nil {
return nil, err
}
}
return &Response{Digest: digest}, nil
@ -256,9 +252,9 @@ func loadCertChain(pem []byte) ([]*x509.Certificate, error) {
return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem))
}
// fetchAttestations retrieves signed attestations and decodes them into in-toto statements
// FetchAttestations retrieves signed attestations and decodes them into in-toto statements
// https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
func fetchAttestations(opts Options) (*Response, error) {
func FetchAttestations(opts Options) (*Response, error) {
cosignOpts, err := buildCosignOptions(opts)
if err != nil {
return nil, err
@ -291,8 +287,20 @@ func fetchAttestations(opts Options) (*Response, error) {
return nil, err
}
if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
return nil, err
for _, signature := range signatures {
match, predicateType, err := matchPredicateType(signature, opts.PredicateType)
if err != nil {
return nil, err
}
if !match {
logger.V(4).Info("predicateType doesn't match, continue", "expected", opts.PredicateType, "received", predicateType)
continue
}
if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
return nil, err
}
}
err = checkAnnotations(payload, opts.Annotations)
@ -309,49 +317,78 @@ func fetchAttestations(opts Options) (*Response, error) {
return &Response{Digest: digest, Statements: inTotoStatements}, nil
}
func matchPredicateType(sig oci.Signature, expectedPredicateType string) (bool, string, error) {
if expectedPredicateType != "" {
statement, _, err := decodeStatement(sig)
if err != nil {
return false, "", errors.Wrapf(err, "failed to decode predicateType")
}
if pType, ok := statement["predicateType"]; ok {
if pType.(string) == expectedPredicateType {
return true, pType.(string), nil
}
}
}
return false, "", nil
}
func decodeStatements(sigs []oci.Signature) ([]map[string]interface{}, string, error) {
if len(sigs) == 0 {
return []map[string]interface{}{}, "", nil
}
var digest string
var statement map[string]interface{}
decodedStatements := make([]map[string]interface{}, len(sigs))
for i, sig := range sigs {
pld, err := sig.Payload()
var err error
statement, digest, err = decodeStatement(sig)
if err != nil {
return nil, "", errors.Wrap(err, "failed to decode payload")
return nil, "", err
}
sci := payload.SimpleContainerImage{}
if err := json.Unmarshal(pld, &sci); err != nil {
return nil, "", errors.Wrap(err, "error decoding the payload")
}
if d := sci.Critical.Image.DockerManifestDigest; d != "" {
digest = d
}
data := make(map[string]interface{})
if err := json.Unmarshal(pld, &data); err != nil {
return nil, "", errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
}
if dataPayload, ok := data["payload"]; !ok {
return nil, "", fmt.Errorf("missing payload in %v", data)
} else {
decodedStatement, err := decodeStatement(dataPayload.(string))
if err != nil {
return nil, "", errors.Wrapf(err, "failed to decode statement %s", string(pld))
}
decodedStatements[i] = decodedStatement
}
decodedStatements[i] = statement
}
return decodedStatements, digest, nil
}
func decodeStatement(payloadBase64 string) (map[string]interface{}, error) {
func decodeStatement(sig oci.Signature) (map[string]interface{}, string, error) {
var digest string
pld, err := sig.Payload()
if err != nil {
return nil, "", errors.Wrap(err, "failed to decode payload")
}
sci := payload.SimpleContainerImage{}
if err := json.Unmarshal(pld, &sci); err != nil {
return nil, "", errors.Wrap(err, "error decoding the payload")
}
if d := sci.Critical.Image.DockerManifestDigest; d != "" {
digest = d
}
data := make(map[string]interface{})
if err := json.Unmarshal(pld, &data); err != nil {
return nil, "", errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
}
if dataPayload, ok := data["payload"]; !ok {
return nil, "", fmt.Errorf("missing payload in %v", data)
} else {
decodedStatement, err := decodePayload(dataPayload.(string))
if err != nil {
return nil, "", errors.Wrapf(err, "failed to decode statement %s", string(pld))
}
return decodedStatement, digest, nil
}
}
func decodePayload(payloadBase64 string) (map[string]interface{}, error) {
statementRaw, err := base64.StdEncoding.DecodeString(payloadBase64)
if err != nil {
return nil, errors.Wrapf(err, "failed to base64 decode payload for %v", statementRaw)

6
pkg/cosign/cosign_test.go
View file

@ -76,15 +76,15 @@ func TestCosignKeyless(t *testing.T) {
Subject: "jim",
}
_, err := verifySignature(opts)
_, err := VerifySignature(opts)
assert.ErrorContains(t, err, "subject mismatch: expected jim, received jim@nirmata.com")
opts.Subject = "jim@nirmata.com"
_, err = verifySignature(opts)
_, err = VerifySignature(opts)
assert.ErrorContains(t, err, "issuer mismatch: expected https://github.com/, received https://github.com/login/oauth")
opts.Issuer = "https://github.com/login/oauth"
_, err = verifySignature(opts)
_, err = VerifySignature(opts)
assert.NilError(t, err)
}

146
pkg/engine/imageVerify.go
View file

@ -293,7 +293,7 @@ func imageMatches(image string, imagePatterns []string) bool {
}
func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
if len(imageVerify.Attestors) <= 0 {
if len(imageVerify.Attestors) <= 0 && len(imageVerify.Attestations) <= 0 {
return nil, ""
}
@ -307,11 +307,28 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), ""
}
if len(imageVerify.Attestors) > 0 {
ruleResp, _, _ := iv.verifyAttestors(imageVerify.Attestors, imageVerify, imageInfo, "")
if ruleResp.Status != response.RuleStatusPass {
return ruleResp, ""
}
}
return iv.verifyAttestations(imageVerify, imageInfo)
}
func (iv *imageVerifier) verifyAttestors(attestors []kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo, predicateType string,
) (*response.RuleResponse, *cosign.Response, []kyvernov1.AttestorSet) {
var cosignResponse *cosign.Response
for i, attestorSet := range imageVerify.Attestors {
var newAttestors []kyvernov1.AttestorSet
image := imageInfo.String()
for i, attestorSet := range attestors {
var err error
path := fmt.Sprintf(".attestors[%d]", i)
cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path)
iv.logger.V(4).Info("verifying attestors", "path", path)
cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path, predicateType)
if err != nil {
iv.logger.Error(err, "failed to verify image")
msg := fmt.Sprintf("failed to verify image %s: %s", image, err.Error())
@ -319,23 +336,84 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im
// handle registry network errors as a rule error (instead of a policy failure)
var netErr *net.OpError
if errors.As(err, &netErr) {
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), ""
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), nil, nil
}
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), ""
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), nil, nil
}
newAttestors = append(newAttestors, attestors[i])
}
if cosignResponse == nil {
return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), ""
return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), nil, nil
}
msg := fmt.Sprintf("verified image signatures for %s", image)
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse.Digest
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse, newAttestors
}
func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
image := imageInfo.String()
for i, attestation := range imageVerify.Attestations {
var attestationError error
path := fmt.Sprintf(".attestations[%d]", i)
attestors := attestation.Attestors
if len(attestation.Attestors) == 0 {
attestors = []kyvernov1.AttestorSet{{}}
}
for j, attestor := range attestors {
attestorPath := fmt.Sprintf("%s.attestors[%d]", path, j)
requiredCount := getRequiredCount(attestor)
verifiedCount := 0
entries := attestor.Entries
if len(entries) == 0 {
entries = []kyvernov1.Attestor{{}}
}
for _, a := range entries {
entryPath := fmt.Sprintf("%s.entries[%d]", attestorPath, i)
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, attestation)
cosignResp, err := cosign.FetchAttestations(*opts)
if err != nil {
iv.logger.Error(err, "failed to fetch attestations")
msg := fmt.Sprintf("failed to fetch attestations %s: %s", image, err.Error())
// handle registry network errors as a rule error (instead of a policy failure)
var netErr *net.OpError
if errors.As(err, &netErr) {
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), ""
}
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), ""
}
verifiedCount++
attestationError = iv.verifyAttestation(cosignResp.Statements, attestation, imageInfo)
if attestationError != nil {
attestationError = errors.Wrapf(attestationError, entryPath+subPath)
return ruleResponse(*iv.rule, response.ImageVerify, attestationError.Error(), response.RuleStatusFail, nil), ""
}
if verifiedCount >= requiredCount {
msg := fmt.Sprintf("image attestations verification succeeded, verifiedCount: %v, requiredCount: %v", verifiedCount, requiredCount)
iv.logger.V(2).Info(msg)
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), ""
}
}
}
iv.logger.V(4).Info("attestation checks passed", "path", path, "image", imageInfo.String(), "predicateType", attestation.PredicateType)
}
msg := fmt.Sprintf("verified image attestations for %s", image)
iv.logger.V(2).Info(msg)
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), ""
}
func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo, path string,
imageInfo apiutils.ImageInfo, path, predicateType string,
) (*cosign.Response, error) {
var errorList []error
verifiedCount := 0
@ -347,6 +425,7 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im
var entryError error
var cosignResp *cosign.Response
attestorPath := fmt.Sprintf("%s.entries[%d]", path, i)
iv.logger.V(4).Info("verifying attestorSet", "path", attestorPath)
if a.Attestor != nil {
nestedAttestorSet, err := kyvernov1.AttestorSetUnmarshal(a.Attestor)
@ -354,15 +433,11 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im
entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath)
} else {
attestorPath += ".attestor"
cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath)
cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType)
}
} else {
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image)
cosignResp, entryError = cosign.Verify(*opts)
if entryError == nil && opts.FetchAttestations {
entryError = iv.verifyAttestations(cosignResp.Statements, imageVerify, imageInfo)
}
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, kyvernov1.Attestation{PredicateType: predicateType})
cosignResp, entryError = cosign.VerifySignature(*opts)
if entryError != nil {
entryError = errors.Wrapf(entryError, attestorPath+subPath)
}
@ -371,7 +446,7 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im
if entryError == nil {
verifiedCount++
if verifiedCount >= requiredCount {
iv.logger.V(2).Info("image verification succeeded", "verifiedCount", verifiedCount, "requiredCount", requiredCount)
iv.logger.V(2).Info("image attestors verification succeeded", "verifiedCount", verifiedCount, "requiredCount", requiredCount)
return cosignResp, nil
}
} else {
@ -379,8 +454,8 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im
}
}
iv.logger.Info("image verification failed", "verifiedCount", verifiedCount, "requiredCount", requiredCount, "errors", errorList)
err := multierr.Combine(errorList...)
iv.logger.Info("image attestors verification failed", "verifiedCount", verifiedCount, "requiredCount", requiredCount, "errors", err.Error())
return nil, err
}
@ -436,7 +511,7 @@ func getRequiredCount(as kyvernov1.AttestorSet) int {
return *as.Count
}
func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string) (*cosign.Options, string) {
func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string, attestation kyvernov1.Attestation) (*cosign.Options, string) {
path := ""
opts := &cosign.Options{
ImageRef: image,
@ -448,7 +523,8 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageV
opts.Roots = imageVerify.Roots
}
if len(imageVerify.Attestations) > 0 {
opts.PredicateType = attestation.PredicateType
if attestation.PredicateType != "" {
opts.FetchAttestations = true
}
@ -504,33 +580,29 @@ func makeAddDigestPatch(imageInfo apiutils.ImageInfo, digest string) ([]byte, er
return json.Marshal(patch)
}
func (iv *imageVerifier) verifyAttestations(statements []map[string]interface{}, imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) error {
func (iv *imageVerifier) verifyAttestation(statements []map[string]interface{}, attestation kyvernov1.Attestation, imageInfo apiutils.ImageInfo) error {
image := imageInfo.String()
statementsByPredicate, types := buildStatementMap(statements)
iv.logger.V(4).Info("checking attestations", "predicates", types, "image", image)
for _, ac := range imageVerify.Attestations {
statements := statementsByPredicate[ac.PredicateType]
if statements == nil {
iv.logger.Info("attestation predicate type not found", "type", ac.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("predicate type %s not found", ac.PredicateType)
statements = statementsByPredicate[attestation.PredicateType]
if statements == nil {
iv.logger.Info("attestation predicate type not found", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("predicate type %s not found", attestation.PredicateType)
}
for _, s := range statements {
iv.logger.Info("checking attestation", "predicates", types, "image", imageInfo.String())
val, err := iv.checkAttestations(attestation, s)
if err != nil {
return errors.Wrap(err, "failed to check attestations")
}
iv.logger.Info("checking attestation", "predicates", types, "image", imageInfo.String())
for _, s := range statements {
val, err := iv.checkAttestations(ac, s)
if err != nil {
return errors.Wrap(err, "failed to check attestations")
}
if !val {
return fmt.Errorf("attestation checks failed for %s and predicate %s", imageInfo.String(), ac.PredicateType)
}
if !val {
return fmt.Errorf("attestation checks failed for %s and predicate %s", imageInfo.String(), attestation.PredicateType)
}
}
iv.logger.V(3).Info("attestation checks passed", "image", imageInfo.String())
return nil
}

4
pkg/engine/imageVerify_test.go
View file

@ -150,7 +150,9 @@ func Test_CosignMockAttest(t *testing.T) {
er, ivm := VerifyAndPatchImages(policyContext)
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusPass)
assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusPass,
fmt.Sprintf("expected: %v, got: %v, failure: %v",
response.RuleStatusPass, er.PolicyResponse.Rules[0].Status, er.PolicyResponse.Rules[0].Message))
assert.Equal(t, ivm.IsEmpty(), false)
assert.Equal(t, ivm.isVerified("ghcr.io/jimbugwadia/pause2:latest"), true)
}

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-1
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

35
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml Normal file
View file

@ -0,0 +1,35 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-1
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless-pass-1
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: https://slsa.dev/provenance/v0.2
attestors:
- entries:
- keyless:
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
conditions:
- all:
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
operator: Equals
value: true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}'
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given the defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-2
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

34
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml Normal file
View file

@ -0,0 +1,34 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-2
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
attestors:
- entries:
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
conditions:
- all:
- key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}"
operator: Equals
value: true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}'
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given another defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-1
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

34
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml Normal file
View file

@ -0,0 +1,34 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-1
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless-fail-1
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
attestors:
- entries:
- keyless:
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
conditions:
- all:
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
operator: Equals
value: true

14
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-script.yaml Normal file
View file

@ -0,0 +1,14 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f pod.yaml
then
echo "Tested failed. Resource was allowed."
exit 1
else
echo "Test succeeded. Resource was blocked."
exit 0
fi

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given the defined predicateType, the image's subject and issuer for this predicateType does not match. The pod creation should be blocked.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-4
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

27
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
name: check-slsa-attestations-pass-4
spec:
background: false
rules:
- match:
any:
- resources:
kinds:
- Pod
name: check-builder-id-keyless
verifyImages:
- attestations:
- conditions:
- all:
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
builder.id}}'') }}'
operator: Equals
value: true
predicateType: https://slsa.dev/provenance/v0.2
imageReferences:
- ghcr.io/chipzoller/zulu*
validationFailureAction: enforce

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}'
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
`attestations.attestor` is optional. The pod creation should be allowed with the valid attestations.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-3
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

40
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-pass-3
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: https://slsa.dev/provenance/v0.2
attestors:
- entries:
- keyless:
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
count: 1
conditions:
- all:
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
operator: Equals
value: true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}'
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor so the pod creation should be allowed.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-2
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

40
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-2
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: https://slsa.dev/provenance/v0.2
attestors:
- entries:
- keyless:
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
count: 2
conditions:
- all:
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
operator: Equals
value: true

14
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-script.yaml Normal file
View file

@ -0,0 +1,14 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f pod.yaml
then
echo "Tested failed. Resource was allowed."
exit 1
else
echo "Test succeeded. Resource was blocked."
exit 0
fi

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor which is less than the specified count, so the pod creation should be blocked.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-3
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

39
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml Normal file
View file

@ -0,0 +1,39 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-slsa-attestations-fail-3
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-builder-id-keyless
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- predicateType: https://slsa.dev/provenance/v0.2
attestors:
- entries:
- keyless:
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
- keyless:
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
conditions:
- all:
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
operator: Equals
value: true

14
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-script.yaml Normal file
View file

@ -0,0 +1,14 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f pod.yaml
then
echo "Tested failed. Resource was allowed."
exit 1
else
echo "Test succeeded. Resource was blocked."
exit 0
fi

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

12
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes.
## Expected Behavior
Given the defined predicateType, all attestor entries must be valid if the count is not specified. This test only has one valid attestor so the pod creation should be blocked.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/4847

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu