--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (devel) name: imageverificationpolicies.policies.kyverno.io spec: group: policies.kyverno.io names: categories: - kyverno kind: ImageVerificationPolicy listKind: ImageVerificationPolicyList plural: imageverificationpolicies shortNames: - ivpol singular: imageverificationpolicy scope: Cluster versions: - name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ImageVerificationPolicySpec is the specification of the desired behavior of the ImageVerificationPolicy. properties: attestations: description: Attestations provides a list of image metadata to verify items: description: Attestation defines the identification details of the metadata that has to be verified properties: intoto: description: InToto defines the details of attestation attached using intoto format properties: type: description: Type defines the type of attestation contained within the statement. type: string required: - type type: object name: description: Name is the name for this attestation. It is used to refer to the attestation in verification type: string referrer: description: Referrer defines the details of attestation attached using OCI 1.1 format properties: type: description: Type defines the type of attestation attached to the image. type: string required: - type type: object required: - name type: object type: array attestors: description: Attestors provides a list of trusted authorities. items: description: Attestor is an identity that confirms or verifies the authenticity of an image or an attestation properties: cosign: description: Cosign defines attestor configuration for Cosign based signatures properties: annotations: additionalProperties: type: string description: |- Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. type: object certificate: description: Certificate defines the configuration for local signature verification properties: cert: description: Certificate is the to the public certificate for local signature verification. type: string certChain: description: |- CertificateChain is the list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate type: string type: object ctlog: description: CTLog sets the configuration to verify the authority against a Rekor instance. properties: ctLogPubKey: description: CTLogPubKey, if set, is used to validate SCTs against a custom source. type: string insecureIgnoreSCT: description: |- IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing. type: boolean insecureIgnoreTlog: description: InsecureIgnoreTlog skips transparency log verification. type: boolean rekorPubKey: description: |- RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor. type: string tsaCertChain: description: |- TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamurce. type: string url: description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) type: string type: object key: description: Key defines the type of key to validate the image. properties: data: description: Data contains the inline public key type: string hashAlgorithm: description: |- HashAlgorithm specifues signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512. Defaults to sha256. type: string kms: description: |- KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. type: string secretRef: description: SecretRef sets a reference to a secret with the key. properties: name: description: name is unique within a namespace to reference a secret resource. type: string namespace: description: namespace defines the space within which the secret name must be unique. type: string type: object x-kubernetes-map-type: atomic type: object keyless: description: Keyless sets the configuration to verify the authority against a Fulcio instance. properties: identities: description: Identities sets a list of identities. items: description: |- Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching. properties: issuer: description: Issuer defines the issuer for this identity. type: string issuerRegExp: description: IssuerRegExp specifies a regular expression to match the issuer for this identity. type: string subject: description: Subject defines the subject for this identity. type: string subjectRegExp: description: SubjectRegExp specifies a regular expression to match the subject for this identity. type: string type: object type: array roots: description: |- Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. type: string required: - identities type: object source: description: Sources sets the configuration to specify the sources from where to consume the signature and attestations. properties: PullSecrets: description: |- SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. items: description: |- LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: default: "" description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string type: object x-kubernetes-map-type: atomic type: array repository: description: Repository defines the location from where to pull the signature / attestations. type: string tagPrefix: description: |- TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. type: string type: object tuf: description: TUF defines the configuration to fetch sigstore root properties: mirror: description: Mirror is the base URL of Sigstore TUF repository type: string root: description: Root defines the path or data of the trusted root properties: data: description: Data is the base64 encoded TUF root type: string path: description: Path is the URL or File location of the TUF root type: string type: object type: object type: object name: description: Name is the name for this attestor. It is used to refer to the attestor in verification type: string notary: description: Notary defines attestor configuration for Notary based signatures properties: certs: description: Certs define the cert chain for Notary signature verification type: string tsaCerts: description: TSACerts define the cert chain for verifying timestamps of notary signature type: string required: - certs type: object required: - name type: object type: array credentials: description: Credentials provides credentials that will be used for authentication with registry. properties: allowInsecureRegistry: description: AllowInsecureRegistry allows insecure access to a registry. type: boolean providers: description: |- Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github. items: description: CredentialsProvidersType provides the list of credential providers required. enum: - default - amazon - azure - google - github type: string type: array secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object failurePolicy: description: |- FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. type: string imageRules: description: |- ImagesRules is a list of Glob and CELExpressions to match images. Any image that matches one of the rules is considered for validation Any image that does not match a rule is skipped, even when they are passed as arguments to image verification functions items: description: ImageRule defines a Glob or a CEL expression for matching images properties: cel: description: Cel defines CEL Expressions for matching images type: string glob: description: Glob defines a globbing pattern for matching images type: string type: object type: array images: description: Images is a list of CEL expression to extract images from the resource items: properties: expression: description: Expression defines CEL expression to extact images from the resource. type: string name: description: Name is the name for this imageList. It is used to refer to the images in verification block as images. type: string required: - expression - name type: object type: array matchConditions: description: |- MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: description: |- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Required. type: string name: description: |- Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') Required. type: string required: - expression - name type: object type: array matchConstraints: description: MatchConstraints specifies what resources this policy is designed to validate. properties: excludeResourceRules: description: |- ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded) items: description: NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. properties: apiGroups: description: |- APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: description: |- APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required. items: type: string type: array x-kubernetes-list-type: atomic operations: description: |- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resourceNames: description: ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. items: type: string type: array x-kubernetes-list-type: atomic resources: description: |- Resources is a list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed. Required. items: type: string type: array x-kubernetes-list-type: atomic scope: description: |- scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*". type: string type: object x-kubernetes-map-type: atomic type: array x-kubernetes-list-type: atomic matchPolicy: description: |- matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy. - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy. Defaults to "Equivalent" type: string namespaceSelector: description: |- NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy. For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors. Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic objectSelector: description: |- ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic resourceRules: description: |- ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule. items: description: NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. properties: apiGroups: description: |- APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. items: type: string type: array x-kubernetes-list-type: atomic apiVersions: description: |- APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required. items: type: string type: array x-kubernetes-list-type: atomic operations: description: |- Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required. items: description: OperationType specifies an operation for a request. type: string type: array x-kubernetes-list-type: atomic resourceNames: description: ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. items: type: string type: array x-kubernetes-list-type: atomic resources: description: |- Resources is a list of resources this rule applies to. For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. If wildcard is present, the validation rule will ensure resources do not overlap with each other. Depending on the enclosing object, subresources might not be allowed. Required. items: type: string type: array x-kubernetes-list-type: atomic scope: description: |- scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*". type: string type: object x-kubernetes-map-type: atomic type: array x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic mutateDigest: default: true description: |- MutateDigest enables replacement of image tags with digests. Defaults to true. type: boolean required: default: true description: Required validates that images are verified i.e. have matched passed a signature or attestation check. type: boolean validationActions: description: |- ValidationAction specifies the action to be taken when the matched resource violates the policy. Required. items: description: ValidationAction specifies a policy enforcement action. type: string type: array x-kubernetes-list-type: set variables: description: |- Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. items: description: Variable is the definition of a variable that is used for composition. A variable is defined as a named expression. properties: expression: description: |- Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: description: |- Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression - name type: object x-kubernetes-map-type: atomic type: array verifications: description: Verifications contain CEL expressions which is used to apply the image verification checks. items: description: Validation specifies the CEL expression which is used to apply the validation. properties: expression: description: "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n \ non-intersecting keys are appended, retaining their partial order.\nRequired." type: string message: description: |- Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is "failed Expression: {Expression}". type: string messageExpression: description: |- messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: "object.x must be less than max ("+string(params.max)+")" type: string reason: description: |- Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression type: object type: array x-kubernetes-list-type: atomic verifyDigest: default: true description: VerifyDigest validates that images have a digest. type: boolean required: - attestors - verifications type: object required: - spec type: object served: true storage: true