From ef06833613656a966e9810b1c82debdfb2fa16fa Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 2 Dec 2022 06:09:44 +0800 Subject: [PATCH] feat: support attestations with multiple signatures (#5409) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add new attribute ".verifyImages.attestations.attestors" Signed-off-by: ShutingZhao * Update CRDs Signed-off-by: ShutingZhao * support multiple subjects for attestations Signed-off-by: ShutingZhao * - fix entries check; - refactors code Signed-off-by: ShutingZhao * fix linter Signed-off-by: ShutingZhao * - allow both attestors and attestations; - make attestations.attestor optional Signed-off-by: ShutingZhao * fix panic Signed-off-by: ShutingZhao * fix tests Signed-off-by: ShutingZhao * add kuttl tests Signed-off-by: ShutingZhao * fix tests Signed-off-by: ShutingZhao * fix tests Signed-off-by: ShutingZhao * fix tests Signed-off-by: ShutingZhao * remove the invalid test Signed-off-by: ShutingZhao * fix empty attestor Signed-off-by: ShutingZhao * add cleanup steps Signed-off-by: ShutingZhao * Update api/kyverno/v1/image_verification_types.go Signed-off-by: Charles-Edouard Brétéché * update codegen Signed-off-by: Charles-Edouard Brétéché Signed-off-by: ShutingZhao Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Jim Bugwadia Co-authored-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché --- Makefile | 2 +- api/kyverno/v1/image_verification_test.go | 5 - api/kyverno/v1/image_verification_types.go | 34 +- api/kyverno/v1/zz_generated.deepcopy.go | 7 + .../v2beta1/image_verification_test.go | 5 - .../v2beta1/image_verification_types.go | 9 +- charts/kyverno/templates/crds.yaml | 872 +++++++++ config/crds/kyverno.io_clusterpolicies.yaml | 802 +++++++++ config/crds/kyverno.io_policies.yaml | 802 +++++++++ config/install.yaml | 1604 +++++++++++++++++ config/install_debug.yaml | 1604 +++++++++++++++++ docs/user/crd/index.html | 14 + pkg/clients/dclient/discovery.go | 2 +- pkg/cosign/cosign.go | 125 +- pkg/cosign/cosign_test.go | 6 +- pkg/engine/imageVerify.go | 146 +- pkg/engine/imageVerify_test.go | 4 +- .../01-assert.yaml | 9 + .../01-manifests.yaml | 35 + .../02-assert.yaml | 11 + .../02-pod.yaml | 9 + .../99-cleanup.yaml | 4 + .../README.md | 11 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 34 + .../02-assert.yaml | 11 + .../02-pod.yaml | 9 + .../99-cleanup.yaml | 4 + .../README.md | 11 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 34 + .../02-script.yaml | 14 + .../03-errors.yaml | 5 + .../99-cleanup.yaml | 4 + .../README.md | 12 + .../pod.yaml | 9 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 27 + .../02-assert.yaml | 11 + .../02-pod.yaml | 9 + .../99-cleanup.yaml | 4 + .../README.md | 12 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 40 + .../02-assert.yaml | 11 + .../02-pod.yaml | 9 + .../99-cleanup.yaml | 4 + .../README.md | 12 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 40 + .../02-script.yaml | 14 + .../03-errors.yaml | 5 + .../99-cleanup.yaml | 4 + .../README.md | 12 + .../pod.yaml | 9 + .../01-assert.yaml | 9 + .../01-manifests.yaml | 39 + .../02-script.yaml | 14 + .../03-errors.yaml | 5 + .../99-cleanup.yaml | 4 + .../README.md | 12 + .../pod.yaml | 9 + 62 files changed, 6521 insertions(+), 108 deletions(-) create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-script.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-script.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-script.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/99-cleanup.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml diff --git a/Makefile b/Makefile index 544b5565da..fd64496594 100644 --- a/Makefile +++ b/Makefile @@ -487,7 +487,7 @@ verify-helm: codegen-helm-all ## Check Helm charts are up to date @echo Checking helm charts are up to date... >&2 @git --no-pager diff charts @echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-helm-all".' >&2 - @echo 'To correct this, locally run "make codegen-helm", commit the changes, and re-run tests.' >&2 + @echo 'To correct this, locally run "make codegen-helm-all", commit the changes, and re-run tests.' >&2 @git diff --quiet --exit-code charts .PHONY: verify-codegen diff --git a/api/kyverno/v1/image_verification_test.go b/api/kyverno/v1/image_verification_test.go index 71f3f1964a..67883bd92e 100644 --- a/api/kyverno/v1/image_verification_test.go +++ b/api/kyverno/v1/image_verification_test.go @@ -174,11 +174,6 @@ func Test_ImageVerification(t *testing.T) { }, }, }, - errors: func(i *ImageVerification) field.ErrorList { - return field.ErrorList{ - field.Invalid(path, i, "An attestor is required"), - } - }, }, { name: "multiple entries", diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index c4e1ab5eb6..9d5704ffe5 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -213,6 +213,10 @@ type Attestation struct { // PredicateType defines the type of Predicate contained within the Statement. PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"` + // Attestors specify the required attestors (i.e. authorities) + // +kubebuilder:validation:Optional + Attestors []AttestorSet `json:"attestors" yaml:"attestors"` + // Conditions are used to verify attributes within a Predicate. If no Conditions are specified // the attestation check is satisfied as long there are predicates that match the predicate type. // +optional @@ -227,11 +231,10 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) { errs = append(errs, field.Invalid(path, iv, "An image reference is required")) } - hasAttestors := len(copy.Attestors) > 0 - hasAttestations := len(copy.Attestations) > 0 - - if hasAttestations && !hasAttestors { - errs = append(errs, field.Invalid(path, iv, "An attestor is required")) + asPath := path.Child("attestations") + for i, attestation := range copy.Attestations { + attestationErrors := attestation.Validate(asPath.Index(i)) + errs = append(errs, attestationErrors...) } attestorsPath := path.Child("attestors") @@ -243,6 +246,19 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) { return errs } +func (a *Attestation) Validate(path *field.Path) (errs field.ErrorList) { + if len(a.Attestors) == 0 { + return + } + + attestorsPath := path.Child("attestors") + for i, as := range a.Attestors { + attestorErrors := as.Validate(attestorsPath.Index(i)) + errs = append(errs, attestorErrors...) + } + return errs +} + func (as *AttestorSet) Validate(path *field.Path) (errs field.ErrorList) { return validateAttestorSet(as, path) } @@ -382,7 +398,13 @@ func (iv *ImageVerification) Convert() *ImageVerification { } attestorSet.Entries = append(attestorSet.Entries, attestor) - copy.Attestors = append(copy.Attestors, attestorSet) + if len(iv.Attestations) > 0 { + for i := range iv.Attestations { + copy.Attestations[i].Attestors = append(copy.Attestations[i].Attestors, attestorSet) + } + } else { + copy.Attestors = append(copy.Attestors, attestorSet) + } } copy.Attestations = iv.Attestations diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index ee25ec169a..351f8b21e7 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -91,6 +91,13 @@ func (in *AnyAllConditions) DeepCopy() *AnyAllConditions { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Attestation) DeepCopyInto(out *Attestation) { *out = *in + if in.Attestors != nil { + in, out := &in.Attestors, &out.Attestors + *out = make([]AttestorSet, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions *out = make([]AnyAllConditions, len(*in)) diff --git a/api/kyverno/v2beta1/image_verification_test.go b/api/kyverno/v2beta1/image_verification_test.go index 9adab20eca..e5054a1879 100644 --- a/api/kyverno/v2beta1/image_verification_test.go +++ b/api/kyverno/v2beta1/image_verification_test.go @@ -117,11 +117,6 @@ func Test_ImageVerification(t *testing.T) { }, }, }, - errors: func(i *ImageVerification) field.ErrorList { - return field.ErrorList{ - field.Invalid(path, i, "An attestor is required"), - } - }, }, } diff --git a/api/kyverno/v2beta1/image_verification_types.go b/api/kyverno/v2beta1/image_verification_types.go index 9ec4fa5544..5fafa87a36 100644 --- a/api/kyverno/v2beta1/image_verification_types.go +++ b/api/kyverno/v2beta1/image_verification_types.go @@ -55,11 +55,10 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) { errs = append(errs, field.Invalid(path, iv, "An image reference is required")) } - hasAttestors := len(copy.Attestors) > 0 - hasAttestations := len(copy.Attestations) > 0 - - if hasAttestations && !hasAttestors { - errs = append(errs, field.Invalid(path, iv, "An attestor is required")) + asPath := path.Child("attestations") + for i, attestation := range copy.Attestations { + attestationErrors := attestation.Validate(asPath.Index(i)) + errs = append(errs, attestationErrors...) } attestorsPath := path.Child("attestors") diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index e1bc588093..b9d928f154 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -4514,6 +4514,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -6293,6 +6402,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -8051,6 +8269,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -9815,6 +10142,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -12185,6 +12621,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -13964,6 +14509,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -15722,6 +16376,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: @@ -17486,6 +18249,115 @@ spec: items: description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or more certificates + properties: + cert: + description: Certificate is an optional PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional PEM encoded set of certificates used to verify + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are certificate-extensions used for keyless signing. + type: object + issuer: + description: Issuer is the certificate issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. + type: string + subject: + description: Subject is the verified identity used for keyless signing, for example the email address + type: string + type: object + keys: + description: Keys specifies one or more public keys + properties: + kms: + description: 'KMS provides the URI to the public key stored in a Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. + properties: + url: + description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource that contains a public key + properties: + name: + description: Name of the secret. The provided secret must contain a key named cosign.pub. + type: string + namespace: + description: Namespace name where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm for public keys. Supported values are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type. items: diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index f14a1bb5a7..9503628777 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2512,6 +2512,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -5432,6 +5624,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -8166,6 +8567,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -11061,6 +11654,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 1bb74a9b1f..0c56a36924 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2513,6 +2513,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -5434,6 +5626,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -8169,6 +8570,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -11064,6 +11657,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified diff --git a/config/install.yaml b/config/install.yaml index 94fbd98869..4f658d0c5d 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -6724,6 +6724,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -9644,6 +9836,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -12378,6 +12779,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -15273,6 +15866,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -18839,6 +19641,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -21760,6 +22754,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -24495,6 +25698,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -27390,6 +28785,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified diff --git a/config/install_debug.yaml b/config/install_debug.yaml index 63e57ff9db..6a432d6c83 100644 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -6716,6 +6716,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -9636,6 +9828,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -12370,6 +12771,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -15265,6 +15858,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -18828,6 +19630,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -21749,6 +22743,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -24484,6 +25687,198 @@ spec: signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked and a root + certificate chain is expected + instead. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If the value is nil, + Rekor is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified @@ -27379,6 +28774,215 @@ spec: fetches signed attestations from the OCI registry and decodes them into a list of Statements. properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked and a root + certificate chain is expected + instead. If an empty object + is provided the public instance + of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If the value is nil, Rekor + is not checked. If an empty + object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array conditions: description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 918d8c7e54..cfb895cdef 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -812,6 +812,19 @@ string +attestors
+ + +[]AttestorSet + + + + +

Attestors specify the required attestors (i.e. authorities)

+ + + + conditions
@@ -929,6 +942,7 @@ If specified Repository will override other OCI image repository locations for t

(Appears on: +Attestation, ImageVerification, Manifests, ImageVerification) diff --git a/pkg/clients/dclient/discovery.go b/pkg/clients/dclient/discovery.go index c7e6d83123..604a78eece 100644 --- a/pkg/clients/dclient/discovery.go +++ b/pkg/clients/dclient/discovery.go @@ -146,7 +146,7 @@ func (c serverPreferredResources) findResource(apiVersion string, kind string) ( for _, resource := range serverResource.APIResources { if resourceMatches(resource, kind, subresource) { - logger.V(4).Info("matched API resource to kind", "apiResource", resource, "kind", kind) + logger.V(6).Info("matched API resource to kind", "apiResource", resource, "kind", kind) gv, err := schema.ParseGroupVersion(serverResource.GroupVersion) if err != nil { logger.Error(err, "failed to parse GV", "groupVersion", serverResource.GroupVersion) diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 0ed35af8a4..92d959c979 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -48,6 +48,7 @@ type Options struct { Repository string RekorURL string SignatureAlgorithm string + PredicateType string } type Response struct { @@ -57,16 +58,8 @@ type Response struct { type CosignError struct{} -func Verify(opts Options) (*Response, error) { - if opts.FetchAttestations { - return fetchAttestations(opts) - } else { - return verifySignature(opts) - } -} - -// verifySignature verifies that the image has the expected signatures -func verifySignature(opts Options) (*Response, error) { +// VerifySignature verifies that the image has the expected signatures +func VerifySignature(opts Options) (*Response, error) { ref, err := name.ParseReference(opts.ImageRef) if err != nil { return nil, fmt.Errorf("failed to parse image %s", opts.ImageRef) @@ -106,9 +99,12 @@ func verifySignature(opts Options) (*Response, error) { return nil, err } - digest, err := extractDigest(opts.ImageRef, payload) - if err != nil { - return nil, err + var digest string + if opts.PredicateType == "" { + digest, err = extractDigest(opts.ImageRef, payload) + if err != nil { + return nil, err + } } return &Response{Digest: digest}, nil @@ -256,9 +252,9 @@ func loadCertChain(pem []byte) ([]*x509.Certificate, error) { return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem)) } -// fetchAttestations retrieves signed attestations and decodes them into in-toto statements +// FetchAttestations retrieves signed attestations and decodes them into in-toto statements // https://github.com/in-toto/attestation/blob/main/spec/README.md#statement -func fetchAttestations(opts Options) (*Response, error) { +func FetchAttestations(opts Options) (*Response, error) { cosignOpts, err := buildCosignOptions(opts) if err != nil { return nil, err @@ -291,8 +287,20 @@ func fetchAttestations(opts Options) (*Response, error) { return nil, err } - if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { - return nil, err + for _, signature := range signatures { + match, predicateType, err := matchPredicateType(signature, opts.PredicateType) + if err != nil { + return nil, err + } + + if !match { + logger.V(4).Info("predicateType doesn't match, continue", "expected", opts.PredicateType, "received", predicateType) + continue + } + + if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + return nil, err + } } err = checkAnnotations(payload, opts.Annotations) @@ -309,49 +317,78 @@ func fetchAttestations(opts Options) (*Response, error) { return &Response{Digest: digest, Statements: inTotoStatements}, nil } +func matchPredicateType(sig oci.Signature, expectedPredicateType string) (bool, string, error) { + if expectedPredicateType != "" { + statement, _, err := decodeStatement(sig) + if err != nil { + return false, "", errors.Wrapf(err, "failed to decode predicateType") + } + + if pType, ok := statement["predicateType"]; ok { + if pType.(string) == expectedPredicateType { + return true, pType.(string), nil + } + } + } + return false, "", nil +} + func decodeStatements(sigs []oci.Signature) ([]map[string]interface{}, string, error) { if len(sigs) == 0 { return []map[string]interface{}{}, "", nil } var digest string + var statement map[string]interface{} decodedStatements := make([]map[string]interface{}, len(sigs)) for i, sig := range sigs { - pld, err := sig.Payload() + var err error + statement, digest, err = decodeStatement(sig) if err != nil { - return nil, "", errors.Wrap(err, "failed to decode payload") + return nil, "", err } - sci := payload.SimpleContainerImage{} - if err := json.Unmarshal(pld, &sci); err != nil { - return nil, "", errors.Wrap(err, "error decoding the payload") - } - - if d := sci.Critical.Image.DockerManifestDigest; d != "" { - digest = d - } - - data := make(map[string]interface{}) - if err := json.Unmarshal(pld, &data); err != nil { - return nil, "", errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig) - } - - if dataPayload, ok := data["payload"]; !ok { - return nil, "", fmt.Errorf("missing payload in %v", data) - } else { - decodedStatement, err := decodeStatement(dataPayload.(string)) - if err != nil { - return nil, "", errors.Wrapf(err, "failed to decode statement %s", string(pld)) - } - - decodedStatements[i] = decodedStatement - } + decodedStatements[i] = statement } return decodedStatements, digest, nil } -func decodeStatement(payloadBase64 string) (map[string]interface{}, error) { +func decodeStatement(sig oci.Signature) (map[string]interface{}, string, error) { + var digest string + + pld, err := sig.Payload() + if err != nil { + return nil, "", errors.Wrap(err, "failed to decode payload") + } + + sci := payload.SimpleContainerImage{} + if err := json.Unmarshal(pld, &sci); err != nil { + return nil, "", errors.Wrap(err, "error decoding the payload") + } + + if d := sci.Critical.Image.DockerManifestDigest; d != "" { + digest = d + } + + data := make(map[string]interface{}) + if err := json.Unmarshal(pld, &data); err != nil { + return nil, "", errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig) + } + + if dataPayload, ok := data["payload"]; !ok { + return nil, "", fmt.Errorf("missing payload in %v", data) + } else { + decodedStatement, err := decodePayload(dataPayload.(string)) + if err != nil { + return nil, "", errors.Wrapf(err, "failed to decode statement %s", string(pld)) + } + + return decodedStatement, digest, nil + } +} + +func decodePayload(payloadBase64 string) (map[string]interface{}, error) { statementRaw, err := base64.StdEncoding.DecodeString(payloadBase64) if err != nil { return nil, errors.Wrapf(err, "failed to base64 decode payload for %v", statementRaw) diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 0ddfaf9143..f3a2c584cd 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -76,15 +76,15 @@ func TestCosignKeyless(t *testing.T) { Subject: "jim", } - _, err := verifySignature(opts) + _, err := VerifySignature(opts) assert.ErrorContains(t, err, "subject mismatch: expected jim, received jim@nirmata.com") opts.Subject = "jim@nirmata.com" - _, err = verifySignature(opts) + _, err = VerifySignature(opts) assert.ErrorContains(t, err, "issuer mismatch: expected https://github.com/, received https://github.com/login/oauth") opts.Issuer = "https://github.com/login/oauth" - _, err = verifySignature(opts) + _, err = VerifySignature(opts) assert.NilError(t, err) } diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index fd0f9735f1..e977df16bc 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -293,7 +293,7 @@ func imageMatches(image string, imagePatterns []string) bool { } func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) { - if len(imageVerify.Attestors) <= 0 { + if len(imageVerify.Attestors) <= 0 && len(imageVerify.Attestations) <= 0 { return nil, "" } @@ -307,11 +307,28 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), "" } + if len(imageVerify.Attestors) > 0 { + ruleResp, _, _ := iv.verifyAttestors(imageVerify.Attestors, imageVerify, imageInfo, "") + if ruleResp.Status != response.RuleStatusPass { + return ruleResp, "" + } + } + + return iv.verifyAttestations(imageVerify, imageInfo) +} + +func (iv *imageVerifier) verifyAttestors(attestors []kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification, + imageInfo apiutils.ImageInfo, predicateType string, +) (*response.RuleResponse, *cosign.Response, []kyvernov1.AttestorSet) { var cosignResponse *cosign.Response - for i, attestorSet := range imageVerify.Attestors { + var newAttestors []kyvernov1.AttestorSet + image := imageInfo.String() + + for i, attestorSet := range attestors { var err error path := fmt.Sprintf(".attestors[%d]", i) - cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path) + iv.logger.V(4).Info("verifying attestors", "path", path) + cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path, predicateType) if err != nil { iv.logger.Error(err, "failed to verify image") msg := fmt.Sprintf("failed to verify image %s: %s", image, err.Error()) @@ -319,23 +336,84 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im // handle registry network errors as a rule error (instead of a policy failure) var netErr *net.OpError if errors.As(err, &netErr) { - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), "" + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), nil, nil } - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), "" + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), nil, nil } + newAttestors = append(newAttestors, attestors[i]) } if cosignResponse == nil { - return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), "" + return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), nil, nil } msg := fmt.Sprintf("verified image signatures for %s", image) - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse.Digest + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse, newAttestors +} + +func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) { + image := imageInfo.String() + for i, attestation := range imageVerify.Attestations { + var attestationError error + path := fmt.Sprintf(".attestations[%d]", i) + + attestors := attestation.Attestors + if len(attestation.Attestors) == 0 { + attestors = []kyvernov1.AttestorSet{{}} + } + + for j, attestor := range attestors { + attestorPath := fmt.Sprintf("%s.attestors[%d]", path, j) + + requiredCount := getRequiredCount(attestor) + verifiedCount := 0 + + entries := attestor.Entries + if len(entries) == 0 { + entries = []kyvernov1.Attestor{{}} + } + + for _, a := range entries { + entryPath := fmt.Sprintf("%s.entries[%d]", attestorPath, i) + opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, attestation) + cosignResp, err := cosign.FetchAttestations(*opts) + if err != nil { + iv.logger.Error(err, "failed to fetch attestations") + msg := fmt.Sprintf("failed to fetch attestations %s: %s", image, err.Error()) + // handle registry network errors as a rule error (instead of a policy failure) + var netErr *net.OpError + if errors.As(err, &netErr) { + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), "" + } + + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), "" + } + + verifiedCount++ + attestationError = iv.verifyAttestation(cosignResp.Statements, attestation, imageInfo) + if attestationError != nil { + attestationError = errors.Wrapf(attestationError, entryPath+subPath) + return ruleResponse(*iv.rule, response.ImageVerify, attestationError.Error(), response.RuleStatusFail, nil), "" + } + + if verifiedCount >= requiredCount { + msg := fmt.Sprintf("image attestations verification succeeded, verifiedCount: %v, requiredCount: %v", verifiedCount, requiredCount) + iv.logger.V(2).Info(msg) + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), "" + } + } + } + iv.logger.V(4).Info("attestation checks passed", "path", path, "image", imageInfo.String(), "predicateType", attestation.PredicateType) + } + + msg := fmt.Sprintf("verified image attestations for %s", image) + iv.logger.V(2).Info(msg) + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), "" } func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification, - imageInfo apiutils.ImageInfo, path string, + imageInfo apiutils.ImageInfo, path, predicateType string, ) (*cosign.Response, error) { var errorList []error verifiedCount := 0 @@ -347,6 +425,7 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im var entryError error var cosignResp *cosign.Response attestorPath := fmt.Sprintf("%s.entries[%d]", path, i) + iv.logger.V(4).Info("verifying attestorSet", "path", attestorPath) if a.Attestor != nil { nestedAttestorSet, err := kyvernov1.AttestorSetUnmarshal(a.Attestor) @@ -354,15 +433,11 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath) } else { attestorPath += ".attestor" - cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath) + cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType) } } else { - opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image) - cosignResp, entryError = cosign.Verify(*opts) - if entryError == nil && opts.FetchAttestations { - entryError = iv.verifyAttestations(cosignResp.Statements, imageVerify, imageInfo) - } - + opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, kyvernov1.Attestation{PredicateType: predicateType}) + cosignResp, entryError = cosign.VerifySignature(*opts) if entryError != nil { entryError = errors.Wrapf(entryError, attestorPath+subPath) } @@ -371,7 +446,7 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im if entryError == nil { verifiedCount++ if verifiedCount >= requiredCount { - iv.logger.V(2).Info("image verification succeeded", "verifiedCount", verifiedCount, "requiredCount", requiredCount) + iv.logger.V(2).Info("image attestors verification succeeded", "verifiedCount", verifiedCount, "requiredCount", requiredCount) return cosignResp, nil } } else { @@ -379,8 +454,8 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im } } - iv.logger.Info("image verification failed", "verifiedCount", verifiedCount, "requiredCount", requiredCount, "errors", errorList) err := multierr.Combine(errorList...) + iv.logger.Info("image attestors verification failed", "verifiedCount", verifiedCount, "requiredCount", requiredCount, "errors", err.Error()) return nil, err } @@ -436,7 +511,7 @@ func getRequiredCount(as kyvernov1.AttestorSet) int { return *as.Count } -func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string) (*cosign.Options, string) { +func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string, attestation kyvernov1.Attestation) (*cosign.Options, string) { path := "" opts := &cosign.Options{ ImageRef: image, @@ -448,7 +523,8 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageV opts.Roots = imageVerify.Roots } - if len(imageVerify.Attestations) > 0 { + opts.PredicateType = attestation.PredicateType + if attestation.PredicateType != "" { opts.FetchAttestations = true } @@ -504,33 +580,29 @@ func makeAddDigestPatch(imageInfo apiutils.ImageInfo, digest string) ([]byte, er return json.Marshal(patch) } -func (iv *imageVerifier) verifyAttestations(statements []map[string]interface{}, imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) error { +func (iv *imageVerifier) verifyAttestation(statements []map[string]interface{}, attestation kyvernov1.Attestation, imageInfo apiutils.ImageInfo) error { image := imageInfo.String() statementsByPredicate, types := buildStatementMap(statements) iv.logger.V(4).Info("checking attestations", "predicates", types, "image", image) - for _, ac := range imageVerify.Attestations { - statements := statementsByPredicate[ac.PredicateType] - if statements == nil { - iv.logger.Info("attestation predicate type not found", "type", ac.PredicateType, "predicates", types, "image", imageInfo.String()) - return fmt.Errorf("predicate type %s not found", ac.PredicateType) + statements = statementsByPredicate[attestation.PredicateType] + if statements == nil { + iv.logger.Info("attestation predicate type not found", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String()) + return fmt.Errorf("predicate type %s not found", attestation.PredicateType) + } + + for _, s := range statements { + iv.logger.Info("checking attestation", "predicates", types, "image", imageInfo.String()) + val, err := iv.checkAttestations(attestation, s) + if err != nil { + return errors.Wrap(err, "failed to check attestations") } - iv.logger.Info("checking attestation", "predicates", types, "image", imageInfo.String()) - - for _, s := range statements { - val, err := iv.checkAttestations(ac, s) - if err != nil { - return errors.Wrap(err, "failed to check attestations") - } - - if !val { - return fmt.Errorf("attestation checks failed for %s and predicate %s", imageInfo.String(), ac.PredicateType) - } + if !val { + return fmt.Errorf("attestation checks failed for %s and predicate %s", imageInfo.String(), attestation.PredicateType) } } - iv.logger.V(3).Info("attestation checks passed", "image", imageInfo.String()) return nil } diff --git a/pkg/engine/imageVerify_test.go b/pkg/engine/imageVerify_test.go index cffb300d79..d4f03bc247 100644 --- a/pkg/engine/imageVerify_test.go +++ b/pkg/engine/imageVerify_test.go @@ -150,7 +150,9 @@ func Test_CosignMockAttest(t *testing.T) { er, ivm := VerifyAndPatchImages(policyContext) assert.Equal(t, len(er.PolicyResponse.Rules), 1) - assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusPass) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusPass, + fmt.Sprintf("expected: %v, got: %v, failure: %v", + response.RuleStatusPass, er.PolicyResponse.Rules[0].Status, er.PolicyResponse.Rules[0].Message)) assert.Equal(t, ivm.IsEmpty(), false) assert.Equal(t, ivm.isVerified("ghcr.io/jimbugwadia/pause2:latest"), true) } diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml new file mode 100644 index 0000000000..0377e9a1d5 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml new file mode 100644 index 0000000000..234b9ecd1f --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless-pass-1 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/99-cleanup.yaml new file mode 100644 index 0000000000..1f710a50a6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md new file mode 100644 index 0000000000..e5f74ea6f0 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md @@ -0,0 +1,11 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml new file mode 100644 index 0000000000..ab5f8349bc --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml new file mode 100644 index 0000000000..14bed0aeae --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: cosign.sigstore.dev/attestation/vuln/v1 + attestors: + - entries: + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/99-cleanup.yaml new file mode 100644 index 0000000000..1f710a50a6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md new file mode 100644 index 0000000000..710581b1c8 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md @@ -0,0 +1,11 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given another defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml new file mode 100644 index 0000000000..cb2b58a3b7 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml new file mode 100644 index 0000000000..80c8febe2b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless-fail-1 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: cosign.sigstore.dev/attestation/vuln/v1 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-script.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-script.yaml new file mode 100644 index 0000000000..0b044d4860 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-script.yaml @@ -0,0 +1,14 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f pod.yaml + then + echo "Tested failed. Resource was allowed." + exit 1 + else + echo "Test succeeded. Resource was blocked." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md new file mode 100644 index 0000000000..3d963c9ee7 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the image's subject and issuer for this predicateType does not match. The pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml new file mode 100644 index 0000000000..e61e72b07b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-4 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml new file mode 100644 index 0000000000..353f0db4c0 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-pass-4 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: enforce diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml new file mode 100644 index 0000000000..669073222c --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml new file mode 100644 index 0000000000..921f8ee747 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/99-cleanup.yaml new file mode 100644 index 0000000000..1f710a50a6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md new file mode 100644 index 0000000000..2538fe6ed0 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +`attestations.attestor` is optional. The pod creation should be allowed with the valid attestations. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml new file mode 100644 index 0000000000..73fe2f59e3 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml new file mode 100644 index 0000000000..8f2c26f337 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-3 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + count: 1 + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/99-cleanup.yaml new file mode 100644 index 0000000000..1f710a50a6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md new file mode 100644 index 0000000000..70ce0f9413 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor so the pod creation should be allowed. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml new file mode 100644 index 0000000000..05b4f2c4d8 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml new file mode 100644 index 0000000000..8c20fc7019 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + count: 2 + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-script.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-script.yaml new file mode 100644 index 0000000000..0b044d4860 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-script.yaml @@ -0,0 +1,14 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f pod.yaml + then + echo "Tested failed. Resource was allowed." + exit 1 + else + echo "Test succeeded. Resource was blocked." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md new file mode 100644 index 0000000000..7a82b5e3df --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor which is less than the specified count, so the pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml new file mode 100644 index 0000000000..1df5237d8d --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml new file mode 100644 index 0000000000..b6934c8d81 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-3 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-script.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-script.yaml new file mode 100644 index 0000000000..0b044d4860 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-script.yaml @@ -0,0 +1,14 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f pod.yaml + then + echo "Tested failed. Resource was allowed." + exit 1 + else + echo "Test succeeded. Resource was blocked." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md new file mode 100644 index 0000000000..adac99649e --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, all attestor entries must be valid if the count is not specified. This test only has one valid attestor so the pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file