v1alpha1

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 22, 2022 License: Apache-2.0 Imports: 18 Imported by: 1

Documentation

Overview

+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev

Index

Constants

This section is empty.

Variables

View Source
var (
	// SchemeBuilder builds a scheme with the types known to the package.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme adds the types known to this package to an existing schema.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ValidateGlob

func ValidateGlob(g string) *apis.FieldError

ValidateGlob glob compilation by testing against empty string

func ValidateRegex

func ValidateRegex(regex string) *apis.FieldError

Types

type Attestation

type Attestation struct {
	// Name of the attestation. These can then be referenced at the CIP level
	// policy.
	Name string `json:"name"`
	// Which predicate type to verify. Matches cosign verify-attestation options.
	PredicateType string `json:"predicateType"`
	// +optional
	Policy *Policy `json:"policy,omitempty"`
}

Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.

func (*Attestation) DeepCopy

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestation) Validate

func (a *Attestation) Validate(ctx context.Context) *apis.FieldError

type Authority

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	// If not specified, the name will be authority-<index in array>
	Name string `json:"name"`
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// +optional
	Sources []Source `json:"source,omitempty"`
	// +optional
	CTLog *TLog `json:"ctlog,omitempty"`
	// +optional
	Attestations []Attestation `json:"attestations,omitempty"`
}

func (*Authority) ConvertFrom

func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error

func (*Authority) ConvertTo

func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error

func (*Authority) DeepCopy

func (in *Authority) DeepCopy() *Authority

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.

func (*Authority) DeepCopyInto

func (in *Authority) DeepCopyInto(out *Authority)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Authority) Validate

func (authority *Authority) Validate(ctx context.Context) *apis.FieldError

type ClusterImagePolicy

type ClusterImagePolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Spec holds the desired state of the ClusterImagePolicy (from the client).
	Spec ClusterImagePolicySpec `json:"spec"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicy) ConvertFrom

func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error

ConvertFrom implements api.Convertible

func (*ClusterImagePolicy) ConvertTo

func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error

ConvertTo implements api.Convertible

func (*ClusterImagePolicy) DeepCopy

func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.

func (*ClusterImagePolicy) DeepCopyInto

func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicy) DeepCopyObject

func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterImagePolicy) GetGroupVersionKind

func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind

GetGroupVersionKind implements kmeta.OwnerRefable

func (*ClusterImagePolicy) SetDefaults

func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)

SetDefaults implements apis.Defaultable

func (*ClusterImagePolicy) Validate

func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError

Validate implements apis.Validatable

type ClusterImagePolicyList

type ClusterImagePolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ClusterImagePolicy `json:"items"`
}

ClusterImagePolicyList is a list of ClusterImagePolicy resources

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicyList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.

func (*ClusterImagePolicyList) DeepCopyInto

func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyList) DeepCopyObject

func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterImagePolicySpec

type ClusterImagePolicySpec struct {
	Images      []ImagePattern `json:"images"`
	Authorities []Authority    `json:"authorities"`
	// Policy is an optional policy that can be applied against all the
	// successfully validated Authorities. If no authorities pass, this does
	// not even get evaluated, as the Policy is considered failed.
	// +optional
	Policy *Policy `json:"policy,omitempty"`
}

ClusterImagePolicySpec defines a list of images that should be verified

func (*ClusterImagePolicySpec) ConvertFrom

func (*ClusterImagePolicySpec) ConvertTo

func (*ClusterImagePolicySpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.

func (*ClusterImagePolicySpec) DeepCopyInto

func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicySpec) SetDefaults

func (spec *ClusterImagePolicySpec) SetDefaults(ctx context.Context)

func (*ClusterImagePolicySpec) Validate

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)

type ConfigMapReference

type ConfigMapReference struct {
	// Name is unique within a namespace to reference a configmap resource.
	// +optional
	Name string `json:"name,omitempty"`
	// Namespace defines the space within which the configmap name must be unique.
	// +optional
	Namespace string `json:"namespace,omitempty"`
}

ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

func (*ConfigMapReference) DeepCopy

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Identity

type Identity struct {
	// +optional
	Issuer string `json:"issuer,omitempty"`
	// +optional
	Subject string `json:"subject,omitempty"`
	// +optional
	IssuerRegExp string `json:"issuerRegExp,omitempty"`
	// +optional
	SubjectRegExp string `json:"subjectRegExp,omitempty"`
}

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

func (*Identity) DeepCopy

func (in *Identity) DeepCopy() *Identity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.

func (*Identity) DeepCopyInto

func (in *Identity) DeepCopyInto(out *Identity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Identity) Validate

func (identity *Identity) Validate(ctx context.Context) *apis.FieldError

type ImagePattern

type ImagePattern struct {
	Glob string `json:"glob"`
}

ImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.

func (*ImagePattern) DeepCopy

func (in *ImagePattern) DeepCopy() *ImagePattern

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.

func (*ImagePattern) DeepCopyInto

func (in *ImagePattern) DeepCopyInto(out *ImagePattern)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImagePattern) Validate

func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError

type KeyRef

type KeyRef struct {
	// +optional
	SecretRef *v1.SecretReference `json:"secretRef,omitempty"`
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// KMS contains the KMS url of the public key
	// Supported formats differ based on the KMS system used.
	// +optional
	KMS string `json:"kms,omitempty"`
}

This references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS

func (*KeyRef) ConvertFrom

func (key *KeyRef) ConvertFrom(ctx context.Context, source *v1beta1.KeyRef)

func (*KeyRef) ConvertTo

func (key *KeyRef) ConvertTo(ctx context.Context, sink *v1beta1.KeyRef)

func (*KeyRef) DeepCopy

func (in *KeyRef) DeepCopy() *KeyRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.

func (*KeyRef) DeepCopyInto

func (in *KeyRef) DeepCopyInto(out *KeyRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeyRef) Validate

func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError

type KeylessRef

type KeylessRef struct {
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// +optional
	Identities []Identity `json:"identities,omitempty"`
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
}

KeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.

func (*KeylessRef) DeepCopy

func (in *KeylessRef) DeepCopy() *KeylessRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.

func (*KeylessRef) DeepCopyInto

func (in *KeylessRef) DeepCopyInto(out *KeylessRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessRef) Validate

func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError

type Policy

type Policy struct {
	// Which kind of policy this is, currently only rego or cue are supported.
	// Furthermore, only cue is tested :)
	Type string `json:"type"`
	// +optional
	Data string `json:"data,omitempty"`
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// +optional
	ConfigMapRef *ConfigMapReference `json:"configMapRef,omitempty"`
}

Policy specifies a policy to use for Attestation validation. Exactly one of Data, URL, or ConfigMapReference must be specified.

func (*Policy) DeepCopy

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) Validate

func (p *Policy) Validate(ctx context.Context) *apis.FieldError

type Source

type Source struct {
	// +optional
	OCI string `json:"oci,omitempty"`
	// SignaturePullSecrets is an optional list of references to secrets in the
	// same namespace as the deploying resource for pulling any of the signatures
	// used by this Source.
	// +optional
	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
}

Source specifies the location of the signature

func (*Source) DeepCopy

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Source) Validate

func (source *Source) Validate(ctx context.Context) *apis.FieldError

type StaticRef

type StaticRef struct {
	// Action defines how to handle a matching policy.
	Action string `json:"action"`
}

StaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.

func (*StaticRef) DeepCopy

func (in *StaticRef) DeepCopy() *StaticRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.

func (*StaticRef) DeepCopyInto

func (in *StaticRef) DeepCopyInto(out *StaticRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticRef) Validate

func (s *StaticRef) Validate(ctx context.Context) *apis.FieldError

type TLog

type TLog struct {
	// +optional
	URL *apis.URL `json:"url,omitempty"`
}

TLog specifies the URL to a transparency log that holds the signature and public key information

func (*TLog) DeepCopy

func (in *TLog) DeepCopy() *TLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.

func (*TLog) DeepCopyInto

func (in *TLog) DeepCopyInto(out *TLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL