v1beta1

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2024 License: Apache-2.0 Imports: 19 Imported by: 1

Documentation

Overview

+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev

Index

Constants

View Source
const (
	// ClusterImagePolicyReady is set when the ClusterImagePolicy has been
	// compiled into the underlying ConfigMap properly.
	ClusterImagePolicyConditionReady = apis.ConditionReady
	// ClusterImagePolicyConditionKeysInlined is set to True when all the Keys
	// have been (Secrets, KMS, etc.) resolved, fetched, validated, and inlined
	// into the compiled representation.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionKeysInlined apis.ConditionType = "KeysInlined"
	// ClusterImagePolicyConditionPoliciesInlined is set to True when all the
	// policies have been resolved, fetched, validated, and inlined into the
	// compiled representation.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionPoliciesInlined apis.ConditionType = "PoliciesInlined"
	// ClusterImagePolicyConditionCMUpdated	is set to True when the CIP has been
	// successfully added into the ConfigMap holding all the compiled CIPs.
	// In failure cases, the Condition will describe the errors in detail.
	ClusterImagePolicyConditionCMUpdated apis.ConditionType = "ConfigMapUpdated"
)

Variables

View Source
var (
	// SchemeBuilder builds a scheme with the types known to the package.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme adds the types known to this package to an existing schema.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: "v1beta1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ValidateGlob

func ValidateGlob(g string) *apis.FieldError

ValidateGlob glob compilation by testing against empty string

func ValidateRegex

func ValidateRegex(regex string) *apis.FieldError

Types

type Attestation

type Attestation struct {
	// Name of the attestation. These can then be referenced at the CIP level
	// policy.
	Name string `json:"name"`
	// PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.
	PredicateType string `json:"predicateType"`
	// Policy defines all of the matching signatures, and all of
	// the matching attestations (whose attestations are verified).
	// +optional
	Policy *Policy `json:"policy,omitempty"`
}

Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.

func (*Attestation) DeepCopy

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestation) Validate

func (a *Attestation) Validate(ctx context.Context) *apis.FieldError

type Authority

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	// If not specified, the name will be authority-<index in array>
	Name string `json:"name"`
	// Key defines the type of key to validate the image.
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// Keyless sets the configuration to verify the authority against a Fulcio instance.
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// Static specifies that signatures / attestations are not validated but
	// instead a static policy is applied against matching images.
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// Sources sets the configuration to specify the sources from where to consume the signatures.
	// +optional
	Sources []Source `json:"source,omitempty"`
	// CTLog sets the configuration to verify the authority against a Rekor instance.
	// +optional
	CTLog *TLog `json:"ctlog,omitempty"`
	// Attestations is a list of individual attestations for this authority,
	// once the signature for this authority has been verified.
	// +optional
	Attestations []Attestation `json:"attestations,omitempty"`
	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
	// +optional
	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
}

The authorities block defines the rules for discovering and validating signatures. Signatures are cryptographically verified using one of the "key" or "keyless" fields. When multiple authorities are specified, any of them may be used to source the valid signature we are looking for to admit an image.

func (*Authority) DeepCopy

func (in *Authority) DeepCopy() *Authority

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.

func (*Authority) DeepCopyInto

func (in *Authority) DeepCopyInto(out *Authority)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Authority) Validate

func (authority *Authority) Validate(ctx context.Context) *apis.FieldError

type ClusterImagePolicy

type ClusterImagePolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Spec holds the desired state of the ClusterImagePolicy (from the client).
	Spec ClusterImagePolicySpec `json:"spec"`

	// Status represents the current state of the ClusterImagePolicy.
	// This data may be out of date.
	// +optional
	Status ClusterImagePolicyStatus `json:"status,omitempty"`
}

ClusterImagePolicy defines the images that go through verification and the authorities used for verification

+genclient +genclient:nonNamespaced +genreconciler:krshapedlogic=true +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicy) ConvertFrom

func (c *ClusterImagePolicy) ConvertFrom(_ context.Context, source apis.Convertible) error

ConvertFrom implements api.Convertible

func (*ClusterImagePolicy) ConvertTo

func (c *ClusterImagePolicy) ConvertTo(_ context.Context, sink apis.Convertible) error

ConvertTo implements api.Convertible

func (*ClusterImagePolicy) DeepCopy

func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.

func (*ClusterImagePolicy) DeepCopyInto

func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicy) DeepCopyObject

func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterImagePolicy) GetConditionSet added in v0.7.0

func (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet

GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.

func (*ClusterImagePolicy) GetGroupVersionKind

func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind

GetGroupVersionKind implements kmeta.OwnerRefable

func (*ClusterImagePolicy) GetStatus added in v0.7.0

func (c *ClusterImagePolicy) GetStatus() *duckv1.Status

GetStatus retrieves the status of the ClusterImagePolicy. Implements the KRShaped interface.

func (*ClusterImagePolicy) IsFailed added in v0.7.0

func (c *ClusterImagePolicy) IsFailed() bool

IsFailed returns true if the resource has observed the latest generation and ready is false.

func (*ClusterImagePolicy) IsReady added in v0.7.0

func (c *ClusterImagePolicy) IsReady() bool

IsReady returns if the ClusterImagePolicy was compiled successfully to ConfigMap.

func (*ClusterImagePolicy) SetDefaults

func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)

SetDefaults implements apis.Defaultable

func (*ClusterImagePolicy) Validate

func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError

Validate implements apis.Validatable

type ClusterImagePolicyList

type ClusterImagePolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ClusterImagePolicy `json:"items"`
}

ClusterImagePolicyList is a list of ClusterImagePolicy resources

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicyList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.

func (*ClusterImagePolicyList) DeepCopyInto

func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyList) DeepCopyObject

func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterImagePolicySpec

type ClusterImagePolicySpec struct {
	// Images defines the patterns of image names that should be subject to this policy.
	Images []ImagePattern `json:"images"`
	// Authorities defines the rules for discovering and validating signatures.
	// +optional
	Authorities []Authority `json:"authorities,omitempty"`
	// Policy is an optional policy that can be applied against all the
	// successfully validated Authorities. If no authorities pass, this does
	// not even get evaluated, as the Policy is considered failed.
	// +optional
	Policy *Policy `json:"policy,omitempty"`
	// Mode controls whether a failing policy will be rejected (not admitted),
	// or if errors are converted to Warnings.
	// enforce - Reject (default)
	// warn - allow but warn
	// +optional
	Mode string `json:"mode,omitempty"`
	// Match allows selecting resources based on their properties.
	// +optional
	Match []MatchResource `json:"match,omitempty"`
}

ClusterImagePolicySpec defines a list of images that should be verified

func (*ClusterImagePolicySpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.

func (*ClusterImagePolicySpec) DeepCopyInto

func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicySpec) SetDefaults

func (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context)

func (*ClusterImagePolicySpec) Validate

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)

type ClusterImagePolicyStatus added in v0.7.0

type ClusterImagePolicyStatus struct {
	// inherits duck/v1 Status, which currently provides:
	// * ObservedGeneration - the 'Generation' of the Broker that was last processed by the controller.
	// * Conditions - the latest available observations of a resource's current state.
	duckv1.Status `json:",inline"`
}

ClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.

func (*ClusterImagePolicyStatus) DeepCopy added in v0.7.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyStatus.

func (*ClusterImagePolicyStatus) DeepCopyInto added in v0.7.0

func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyStatus) InitializeConditions added in v0.7.0

func (cs *ClusterImagePolicyStatus) InitializeConditions()

InitializeConditions sets the initial values to the conditions.

func (*ClusterImagePolicyStatus) MarkCMUpdateFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string)

MarkCMUpdateFailed surfaces a failure that we were unable to reflect the CIP into the compiled ConfigMap.

func (*ClusterImagePolicyStatus) MarkCMUpdatedOK added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK()

MarkCMUpdated marks the status saying that the ConfigMap has been updated.

func (*ClusterImagePolicyStatus) MarkInlineKeysFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string)

MarkInlineKeysFailed surfaces a failure that we were unable to inline the keys (from secrets or from KMS).

func (*ClusterImagePolicyStatus) MarkInlineKeysOk added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlineKeysOk()

MarkInlineKeysOk marks the status saying that the inlining of the keys had no errors.

func (*ClusterImagePolicyStatus) MarkInlinePoliciesFailed added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string)

MarkInlinePoliciesFailed surfaces a failure that we were unable to inline the policies, either from ConfigMap or from URL.

func (*ClusterImagePolicyStatus) MarkInlinePoliciesOk added in v0.7.0

func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk()

MarkInlinePoliciesdOk marks the status saying that the inlining of the policies had no errors.

type ConfigMapReference

type ConfigMapReference struct {
	// Name is unique within a namespace to reference a configmap resource.
	// +optional
	Name string `json:"name,omitempty"`
	// Namespace defines the space within which the configmap name must be unique.
	// +optional
	Namespace string `json:"namespace,omitempty"`
	// Key defines the key to pull from the configmap.
	// +optional
	Key string `json:"key,omitempty"`
}

ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

func (*ConfigMapReference) DeepCopy

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ConfigMapReference) Validate added in v0.6.0

func (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldError

type Identity

type Identity struct {
	// Issuer defines the issuer for this identity.
	// +optional
	Issuer string `json:"issuer,omitempty"`
	// Subject defines the subject for this identity.
	// +optional
	Subject string `json:"subject,omitempty"`
	// IssuerRegExp specifies a regular expression to match the issuer for this identity.
	// +optional
	IssuerRegExp string `json:"issuerRegExp,omitempty"`
	// SubjectRegExp specifies a regular expression to match the subject for this identity.
	// +optional
	SubjectRegExp string `json:"subjectRegExp,omitempty"`
}

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

func (*Identity) DeepCopy

func (in *Identity) DeepCopy() *Identity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.

func (*Identity) DeepCopyInto

func (in *Identity) DeepCopyInto(out *Identity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Identity) Validate

func (identity *Identity) Validate(_ context.Context) *apis.FieldError

type ImagePattern

type ImagePattern struct {
	// Glob defines a globbing pattern.
	Glob string `json:"glob"`
}

ImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.

func (*ImagePattern) DeepCopy

func (in *ImagePattern) DeepCopy() *ImagePattern

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.

func (*ImagePattern) DeepCopyInto

func (in *ImagePattern) DeepCopyInto(out *ImagePattern)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImagePattern) Validate

func (image *ImagePattern) Validate(_ context.Context) *apis.FieldError

type KeyRef

type KeyRef struct {
	// SecretRef sets a reference to a secret with the key.
	// +optional
	SecretRef *v1.SecretReference `json:"secretRef,omitempty"`
	// Data contains the inline public key.
	// +optional
	Data string `json:"data,omitempty"`
	// KMS contains the KMS url of the public key
	// Supported formats differ based on the KMS system used.
	// +optional
	KMS string `json:"kms,omitempty"`
	// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
}

This references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS

func (*KeyRef) DeepCopy

func (in *KeyRef) DeepCopy() *KeyRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.

func (*KeyRef) DeepCopyInto

func (in *KeyRef) DeepCopyInto(out *KeyRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeyRef) Validate

func (key *KeyRef) Validate(_ context.Context) *apis.FieldError

type KeylessRef

type KeylessRef struct {
	// URL defines a url to the keyless instance.
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// Identities sets a list of identities.
	Identities []Identity `json:"identities"`
	// CACert sets a reference to CA certificate
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
	// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
	// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
	// +optional
	InsecureIgnoreSCT *bool `json:"insecureIgnoreSCT,omitempty"`
}

KeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.

func (*KeylessRef) DeepCopy

func (in *KeylessRef) DeepCopy() *KeylessRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.

func (*KeylessRef) DeepCopyInto

func (in *KeylessRef) DeepCopyInto(out *KeylessRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessRef) Validate

func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError

type MatchResource added in v0.4.0

type MatchResource struct {
	// +optional
	metav1.GroupVersionResource `json:",inline"`
	// +optional
	ResourceSelector *metav1.LabelSelector `json:"selector,omitempty"`
}

MatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.

func (*MatchResource) DeepCopy added in v0.4.0

func (in *MatchResource) DeepCopy() *MatchResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.

func (*MatchResource) DeepCopyInto added in v0.4.0

func (in *MatchResource) DeepCopyInto(out *MatchResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResource) Validate added in v0.4.0

func (matchResource *MatchResource) Validate(_ context.Context) *apis.FieldError

type Policy

type Policy struct {
	// Which kind of policy this is, currently only rego or cue are supported.
	// Furthermore, only cue is tested :)
	Type string `json:"type"`
	// Data contains the policy definition.
	// +optional
	Data string `json:"data,omitempty"`
	// Remote defines the url to a policy.
	// +optional
	Remote *RemotePolicy `json:"remote,omitempty"`
	// ConfigMapRef defines the reference to a configMap with the policy definition.
	// +optional
	ConfigMapRef *ConfigMapReference `json:"configMapRef,omitempty"`
	// FetchConfigFile controls whether ConfigFile will be fetched and made
	// available for CIP level policy evaluation. Note that this only gets
	// evaluated (and hence fetched) iff at least one authority matches.
	// The ConfigFile will then be available in this format:
	// https://github.com/opencontainers/image-spec/blob/main/config.md
	// +optional
	FetchConfigFile *bool `json:"fetchConfigFile,omitempty"`
	// IncludeSpec controls whether resource `Spec` will be included and
	// made available for CIP level policy evaluation. Note that this only gets
	// evaluated iff at least one authority matches.
	// Also note that because Spec may be of a different shape depending
	// on the resource being evaluatied (see MatchResource for filtering)
	// you might want to configure these to match the policy file to ensure
	// the shape of the Spec is what you expect when evaling the policy.
	// +optional
	IncludeSpec *bool `json:"includeSpec,omitempty"`
	// IncludeObjectMeta controls whether the ObjectMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"`
	// IncludeTypeMeta controls whether the TypeMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeTypeMeta *bool `json:"includeTypeMeta,omitempty"`
}

Policy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.

func (*Policy) DeepCopy

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) Validate

func (p *Policy) Validate(ctx context.Context) *apis.FieldError

type RFC3161Timestamp added in v0.6.0

type RFC3161Timestamp struct {
	// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature

func (*RFC3161Timestamp) DeepCopy added in v0.6.0

func (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RFC3161Timestamp.

func (*RFC3161Timestamp) DeepCopyInto added in v0.6.0

func (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RemotePolicy added in v0.6.0

type RemotePolicy struct {
	// URL to the policy data.
	URL apis.URL `json:"url,omitempty"`
	// Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.
	Sha256sum string `json:"sha256sum,omitempty"`
}

RemotePolicy defines all the properties to fetch a remote policy

func (*RemotePolicy) DeepCopy added in v0.6.0

func (in *RemotePolicy) DeepCopy() *RemotePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemotePolicy.

func (*RemotePolicy) DeepCopyInto added in v0.6.0

func (in *RemotePolicy) DeepCopyInto(out *RemotePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RemotePolicy) Validate added in v0.6.0

func (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError

type Source

type Source struct {
	// OCI defines the registry from where to pull the signature / attestations.
	// +optional
	OCI string `json:"oci,omitempty"`
	// SignaturePullSecrets is an optional list of references to secrets in the
	// same namespace as the deploying resource for pulling any of the signatures
	// used by this Source.
	// +optional
	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
	// TagPrefix is an optional prefix that signature and attestations have.
	// This is the 'tag based discovery' and in the future once references are
	// fully supported that should likely be the preferred way to handle these.
	// +optional
	TagPrefix *string `json:"tagPrefix,omitempty"`
}

Source specifies the location of the signature / attestations.

func (*Source) DeepCopy

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Source) Validate

func (source *Source) Validate(_ context.Context) *apis.FieldError

type StaticRef

type StaticRef struct {
	// Action defines how to handle a matching policy.
	Action string `json:"action"`
	// For fail actions, emit an optional custom message
	Message string `json:"message,omitempty"`
}

StaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.

func (*StaticRef) DeepCopy

func (in *StaticRef) DeepCopy() *StaticRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.

func (*StaticRef) DeepCopyInto

func (in *StaticRef) DeepCopyInto(out *StaticRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticRef) Validate

func (s *StaticRef) Validate(_ context.Context) *apis.FieldError

type TLog

type TLog struct {
	// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// Use the Public Key from the referred TrustRoot.TLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

TLog specifies the URL to a transparency log that holds the signature and public key information

func (*TLog) DeepCopy

func (in *TLog) DeepCopy() *TLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.

func (*TLog) DeepCopyInto

func (in *TLog) DeepCopyInto(out *TLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL