mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

feat: add full regexp support to cosign (#10815)

Browse source 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-08-16 12:33:59 +05:30 committed by GitHub
parent 5a60836279
commit f69ffe12ec
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 1377 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
api/kyverno/v1/image_verification_types.go
View file

@ -256,10 +256,18 @@ type KeylessAttestor struct {
// +kubebuilder:validation:Optional
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
// IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.
// +kubebuilder:validation:Optional
IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"`
// Subject is the verified identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
// SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"`
// Roots is an optional set of PEM encoded trusted root certificates.
// If not provided, the system roots are used.
// +kubebuilder:validation:Optional

136
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -3169,6 +3169,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3200,6 +3205,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3669,6 +3680,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3700,6 +3716,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4046,6 +4068,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4076,6 +4103,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7539,6 +7572,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7570,6 +7608,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8044,6 +8088,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8077,6 +8127,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8427,6 +8484,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8458,6 +8520,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11713,6 +11781,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11744,6 +11817,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12202,6 +12281,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12233,6 +12317,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12579,6 +12669,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12609,6 +12704,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16052,6 +16153,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16083,6 +16189,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16557,6 +16669,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16590,6 +16708,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16940,6 +17065,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16971,6 +17101,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

136
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -3170,6 +3170,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3201,6 +3206,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3670,6 +3681,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3701,6 +3717,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4047,6 +4069,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4077,6 +4104,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7541,6 +7574,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7572,6 +7610,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8046,6 +8090,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8079,6 +8129,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8429,6 +8486,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8460,6 +8522,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11716,6 +11784,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11747,6 +11820,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12205,6 +12284,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12236,6 +12320,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12582,6 +12672,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12612,6 +12707,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16055,6 +16156,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16086,6 +16192,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16560,6 +16672,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16593,6 +16711,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16943,6 +17068,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16974,6 +17104,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

136
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3163,6 +3163,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3194,6 +3199,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3663,6 +3674,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3694,6 +3710,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4040,6 +4062,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4070,6 +4097,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7533,6 +7566,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7564,6 +7602,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8038,6 +8082,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8071,6 +8121,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8421,6 +8478,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8452,6 +8514,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11707,6 +11775,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11738,6 +11811,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12196,6 +12275,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12227,6 +12311,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12573,6 +12663,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12603,6 +12698,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16046,6 +16147,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16077,6 +16183,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16551,6 +16663,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16584,6 +16702,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16934,6 +17059,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16965,6 +17095,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

136
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3164,6 +3164,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3195,6 +3200,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3664,6 +3675,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3695,6 +3711,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4041,6 +4063,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4071,6 +4098,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7535,6 +7568,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7566,6 +7604,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8040,6 +8084,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8073,6 +8123,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8423,6 +8480,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8454,6 +8516,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11710,6 +11778,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11741,6 +11814,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12199,6 +12278,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12230,6 +12314,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12576,6 +12666,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12606,6 +12701,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16049,6 +16150,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16080,6 +16186,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16554,6 +16666,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16587,6 +16705,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16937,6 +17062,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16968,6 +17098,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

136
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -3163,6 +3163,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3194,6 +3199,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3663,6 +3674,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3694,6 +3710,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4040,6 +4062,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4070,6 +4097,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7533,6 +7566,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7564,6 +7602,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8038,6 +8082,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8071,6 +8121,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8421,6 +8478,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8452,6 +8514,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11707,6 +11775,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11738,6 +11811,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12196,6 +12275,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12227,6 +12311,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12573,6 +12663,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12603,6 +12698,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16046,6 +16147,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16077,6 +16183,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16551,6 +16663,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16584,6 +16702,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16934,6 +17059,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16965,6 +17095,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

136
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -3164,6 +3164,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3195,6 +3200,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -3664,6 +3675,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -3695,6 +3711,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -4041,6 +4063,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -4071,6 +4098,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -7535,6 +7568,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -7566,6 +7604,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8040,6 +8084,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8073,6 +8123,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -8423,6 +8480,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8454,6 +8516,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -11710,6 +11778,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -11741,6 +11814,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12199,6 +12278,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12230,6 +12314,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -12576,6 +12666,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12606,6 +12701,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -16049,6 +16150,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16080,6 +16186,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16554,6 +16666,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16587,6 +16705,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -16937,6 +17062,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16968,6 +17098,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

272
config/install-latest-testing.yaml
View file

@ -8361,6 +8361,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8392,6 +8397,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -8861,6 +8872,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -8892,6 +8908,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -9238,6 +9260,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -9268,6 +9295,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -12731,6 +12764,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -12762,6 +12800,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -13236,6 +13280,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -13269,6 +13319,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -13619,6 +13676,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -13650,6 +13712,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -16905,6 +16973,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -16936,6 +17009,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -17394,6 +17473,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -17425,6 +17509,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -17771,6 +17861,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -17801,6 +17896,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -21244,6 +21345,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -21275,6 +21381,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -21749,6 +21861,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -21782,6 +21900,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -22132,6 +22257,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -22163,6 +22293,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -25927,6 +26063,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -25958,6 +26099,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -26427,6 +26574,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -26458,6 +26610,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -26804,6 +26962,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -26834,6 +26997,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -30298,6 +30467,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -30329,6 +30503,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -30803,6 +30983,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -30836,6 +31022,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -31186,6 +31379,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -31217,6 +31415,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -34473,6 +34677,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -34504,6 +34713,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used
for keyless signing, for example the
email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -34962,6 +35177,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -34993,6 +35213,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -35339,6 +35565,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate issuer
used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -35369,6 +35600,12 @@ spec:
used for keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the regular
expression to match identity used for
keyless signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one or more public
@ -38812,6 +39049,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the
regular expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -38843,6 +39085,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for
example the email address.
type: string
type: object
keys:
description: Keys specifies one or more
@ -39317,6 +39565,12 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is
the regular expression to
match certificate issuer used
for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -39350,6 +39604,13 @@ spec:
keyless signing, for example
the email address.
type: string
subjectRegExp:
description: SubjectRegExp is
the regular expression to
match identity used for keyless
signing, for example the email
address.
type: string
type: object
keys:
description: Keys specifies one
@ -39700,6 +39961,11 @@ spec:
description: Issuer is the certificate
issuer used for keyless signing.
type: string
issuerRegExp:
description: IssuerRegExp is the regular
expression to match certificate
issuer used for keyless signing.
type: string
rekor:
description: |-
Rekor provides configuration for the Rekor transparency log service. If an empty object
@ -39731,6 +39997,12 @@ spec:
identity used for keyless signing,
for example the email address.
type: string
subjectRegExp:
description: SubjectRegExp is the
regular expression to match identity
used for keyless signing, for example
the email address.
type: string
type: object
keys:
description: Keys specifies one or more

22
docs/user/crd/index.html
View file

@ -2700,6 +2700,17 @@ string
</tr>
<tr>
<td>
<code>issuerRegExp</code><br/>
<em>
string
</em>
</td>
<td>
<p>IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.</p>
</td>
</tr>
<tr>
<td>
<code>subject</code><br/>
<em>
string
@ -2711,6 +2722,17 @@ string
</tr>
<tr>
<td>
<code>subjectRegExp</code><br/>
<em>
string
</em>
</td>
<td>
<p>SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.</p>
</td>
</tr>
<tr>
<td>
<code>roots</code><br/>
<em>
string

58
docs/user/crd/kyverno.v1.html
View file

@ -5436,6 +5436,35 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<tr>
<td><code>issuerRegExp</code>
<span style="color:blue;"> *</span>
</br>
<span style="font-family: monospace">string</span>
</td>
<td>
<p>IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.</p>
</td>
</tr>
<tr>
<td><code>subject</code>
@ -5465,6 +5494,35 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<tr>
<td><code>subjectRegExp</code>
<span style="color:blue;"> *</span>
</br>
<span style="font-family: monospace">string</span>
</td>
<td>
<p>SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.</p>
</td>
</tr>
<tr>
<td><code>roots</code>

18
pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go
View file

@ -24,7 +24,9 @@ type KeylessAttestorApplyConfiguration struct {
Rekor *RekorApplyConfiguration `json:"rekor,omitempty"`
CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"`
Issuer *string `json:"issuer,omitempty"`
IssuerRegExp *string `json:"issuerRegExp,omitempty"`
Subject *string `json:"subject,omitempty"`
SubjectRegExp *string `json:"subjectRegExp,omitempty"`
Roots *string `json:"roots,omitempty"`
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"`
}
@ -59,6 +61,14 @@ func (b *KeylessAttestorApplyConfiguration) WithIssuer(value string) *KeylessAtt
return b
}
// WithIssuerRegExp sets the IssuerRegExp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IssuerRegExp field is set to the value of the last call.
func (b *KeylessAttestorApplyConfiguration) WithIssuerRegExp(value string) *KeylessAttestorApplyConfiguration {
b.IssuerRegExp = &value
return b
}
// WithSubject sets the Subject field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Subject field is set to the value of the last call.
@ -67,6 +77,14 @@ func (b *KeylessAttestorApplyConfiguration) WithSubject(value string) *KeylessAt
return b
}
// WithSubjectRegExp sets the SubjectRegExp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SubjectRegExp field is set to the value of the last call.
func (b *KeylessAttestorApplyConfiguration) WithSubjectRegExp(value string) *KeylessAttestorApplyConfiguration {
b.SubjectRegExp = &value
return b
}
// WithRoots sets the Roots field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Roots field is set to the value of the last call.

68
pkg/cosign/cosign.go
View file

@ -8,6 +8,7 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"regexp"
"strings"
"github.com/google/go-containerregistry/pkg/name"
@ -74,7 +75,7 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option
return nil, err
}
if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
if err := matchSignatures(signatures, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil {
return nil, err
}
@ -308,7 +309,7 @@ func (v *cosignVerifier) FetchAttestations(ctx context.Context, opts images.Opti
continue
}
if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil {
return nil, err
}
}
@ -500,7 +501,7 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin
return "", fmt.Errorf("digest not found for %s", imgRef)
}
func matchSignatures(signatures []oci.Signature, subject, issuer string, extensions map[string]string) error {
func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error {
if subject == "" && issuer == "" && len(extensions) == 0 {
return nil
}
@ -516,7 +517,7 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi
return fmt.Errorf("certificate not found")
}
if err := matchCertificateData(cert, subject, issuer, extensions); err != nil {
if err := matchCertificateData(cert, subject, subjectRegExp, issuer, issuerRegExp, extensions); err != nil {
errs = append(errs, err)
} else {
// only one signature certificate needs to match the required subject, issuer, and extensions
@ -532,31 +533,66 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi
return fmt.Errorf("invalid signature")
}
func matchCertificateData(cert *x509.Certificate, subject, issuer string, extensions map[string]string) error {
if subject != "" {
s := ""
func matchCertificateData(cert *x509.Certificate, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error {
if subject != "" || subjectRegExp != "" {
if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {
s = sans[0]
}
if !wildcard.Match(subject, s) {
return fmt.Errorf("subject mismatch: expected %s, received %s", subject, s)
subjectMatched := false
if subject != "" {
for _, s := range sans {
if wildcard.Match(subject, s) {
subjectMatched = true
break
}
}
}
if subjectRegExp != "" {
regex, err := regexp.Compile(subjectRegExp)
if err != nil {
return fmt.Errorf("invalid regexp for subject: %s : %w", subjectRegExp, err)
}
for _, s := range sans {
if regex.MatchString(s) {
subjectMatched = true
break
}
}
}
if !subjectMatched {
sub := ""
if subject != "" {
sub = subject
} else if subjectRegExp != "" {
sub = subjectRegExp
}
return fmt.Errorf("subject mismatch: expected %s, received %s", sub, strings.Join(sans, ", "))
}
}
}
if err := matchExtensions(cert, issuer, extensions); err != nil {
if err := matchExtensions(cert, issuer, issuerRegExp, extensions); err != nil {
return err
}
return nil
}
func matchExtensions(cert *x509.Certificate, issuer string, extensions map[string]string) error {
func matchExtensions(cert *x509.Certificate, issuer, issuerRegExp string, extensions map[string]string) error {
ce := cosign.CertExtensions{Cert: cert}
if issuer != "" {
if issuer != "" || issuerRegExp != "" {
val := ce.GetIssuer()
if !wildcard.Match(issuer, val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val)
if issuer != "" {
if !wildcard.Match(issuer, val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val)
}
}
if issuerRegExp != "" {
if regex, err := regexp.Compile(issuerRegExp); err != nil {
return fmt.Errorf("invalid regexp for issuer: %s : %w", issuerRegExp, err)
} else if !regex.MatchString(val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuerRegExp, val)
}
}
}

53
pkg/cosign/cosign_test.go
View file

@ -227,7 +227,10 @@ func TestCosignMatchCertificateData(t *testing.T) {
assert.NilError(t, err)
subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*"
subject1RegExp := `https://github\.com/JimBugwadia/demo-java-tomcat/.+`
issuer1 := "https://token.actions.githubusercontent.com"
issuer1RegExp := `https://token\.actions\..+`
extensions := map[string]string{
"githubWorkflowTrigger": "push",
"githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e",
@ -235,20 +238,41 @@ func TestCosignMatchCertificateData(t *testing.T) {
"githubWorkflowRepository": "JimBugwadia/demo-java-tomcat",
}
matchErr := matchCertificateData(cert1, subject1, issuer1, extensions)
matchErr := matchCertificateData(cert1, subject1, "", issuer1, "", extensions)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, "", issuer1, extensions)
matchErr = matchCertificateData(cert1, "", "", issuer1, "", extensions)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, subject1, issuer1, nil)
matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", nil)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, "wrong-subject", issuer1, extensions)
matchErr = matchCertificateData(cert1, "", subject1RegExp, "", issuer1RegExp, nil)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, "", "", "", issuer1RegExp, nil)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, subject1, subject1RegExp, issuer1, issuer1RegExp, nil)
assert.NilError(t, matchErr)
matchErr = matchCertificateData(cert1, "", `^wrong-regex$`, issuer1, issuer1RegExp, nil)
assert.Error(t, matchErr, "subject mismatch: expected ^wrong-regex$, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22")
matchErr = matchCertificateData(cert1, "", "", "", `^wrong-regex$`, nil)
assert.Error(t, matchErr, "issuer mismatch: expected ^wrong-regex$, received https://token.actions.githubusercontent.com")
matchErr = matchCertificateData(cert1, "wrong-subject", "", issuer1, "", extensions)
assert.Error(t, matchErr, "subject mismatch: expected wrong-subject, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22")
matchErr = matchCertificateData(cert1, "", "*", "", issuer1RegExp, nil)
assert.Error(t, matchErr, "invalid regexp for subject: * : error parsing regexp: missing argument to repetition operator: `*`")
matchErr = matchCertificateData(cert1, "", subject1RegExp, "", "?", nil)
assert.Error(t, matchErr, "invalid regexp for issuer: ? : error parsing regexp: missing argument to repetition operator: `?`")
extensions["githubWorkflowTrigger"] = "pull"
matchErr = matchCertificateData(cert1, subject1, issuer1, extensions)
matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", extensions)
assert.Error(t, matchErr, "extension mismatch: expected pull for key githubWorkflowTrigger, received push")
}
@ -431,17 +455,28 @@ func TestCosignMatchSignatures(t *testing.T) {
}
subject2 := "*@nirmata.com"
subject2RegExp := `.+@nirmata\.com`
issuer2 := "https://github.com/login/oauth"
issuer2RegExp := `https://github\.com/login/.+`
matchErr := matchSignatures(sigs, subject1, issuer1, extensions)
matchErr := matchSignatures(sigs, subject1, "", issuer1, "", extensions)
assert.NilError(t, matchErr)
matchErr = matchSignatures(sigs, subject2, issuer2, nil)
matchErr = matchSignatures(sigs, subject2, "", issuer2, "", nil)
assert.NilError(t, matchErr)
matchErr = matchSignatures(sigs, subject2, issuer1, nil)
matchErr = matchSignatures(sigs, "", subject2RegExp, issuer2, "", nil)
assert.NilError(t, matchErr)
matchErr = matchSignatures(sigs, "", "", "", issuer2RegExp, nil)
assert.NilError(t, matchErr)
matchErr = matchSignatures(sigs, subject2, "", issuer1, "", nil)
assert.Error(t, matchErr, "subject mismatch: expected *@nirmata.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth")
matchErr = matchSignatures(sigs, subject2, issuer2, extensions)
matchErr = matchSignatures(sigs, "", subject2RegExp, issuer1, "", nil)
assert.Error(t, matchErr, `subject mismatch: expected .+@nirmata\.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth`)
matchErr = matchSignatures(sigs, subject2, "", issuer2, "", extensions)
assert.ErrorContains(t, matchErr, "extension mismatch")
}

2
pkg/engine/internal/imageverifier.go
View file

@ -639,7 +639,9 @@ func (iv *ImageVerifier) buildCosignVerifier(
opts.Roots = attestor.Keyless.Roots
opts.Issuer = attestor.Keyless.Issuer
opts.IssuerRegExp = attestor.Keyless.IssuerRegExp
opts.Subject = attestor.Keyless.Subject
opts.SubjectRegExp = attestor.Keyless.SubjectRegExp
opts.AdditionalExtensions = attestor.Keyless.AdditionalExtensions
}

2
pkg/images/verifier.go
View file

@ -29,7 +29,9 @@ type Options struct {
CertChain string
Roots string
Subject string
SubjectRegExp string
Issuer string
IssuerRegExp string
AdditionalExtensions map[string]string
Annotations map[string]string
Repository string

8
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md Normal file
View file

@ -0,0 +1,8 @@
## Description
Verify image attestations with regexp subject
## Expected Behavior
The pod creation should pass.

21
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: keyless-attestation-invalid-attestor
spec:
timeouts:
delete: 2m
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: pod.yaml
- assert:
file: pod-assert.yaml

5
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default

9
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: zulu
namespace: default
spec:
containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14
name: zulu

7
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-invalid-attestors-in-attestations
annotations:
pod-policies.kyverno.io/autogen-controllers: none

33
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-invalid-attestors-in-attestations
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
webhookTimeoutSeconds: 30
background: false
rules:
- name: check-invalid-attestation-attestor
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- validationFailureAction: Enforce
imageReferences:
- "ghcr.io/chipzoller/zulu*"
attestations:
- type: https://slsa.dev/provenance/v0.2
attestors:
- count: 1
entries:
- keyless:
subjectRegExp: https://github\.com/slsa-framework/slsa-github-generator/\.github/workflows/generator_container_slsa3\.yml@.+
issuerRegExp: https://token\.actions\.githubusercontent.+
rekor:
url: https://rekor.sigstore.dev
ctlog:
ignoreSCT: true