Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AttestationPolicy ¶
type AttestationPolicy struct { // Name of the Attestation Name string `json:"name"` // PredicateType to attest, one of the accepted in verify-attestation PredicateType string `json:"predicateType"` // Type specifies how to evaluate policy, only rego/cue are understood. Type string `json:"type,omitempty"` // Data is the inlined version of the Policy used to evaluate the // Attestation. Data string `json:"data,omitempty"` // FetchConfigFile controls whether ConfigFile will be fetched and made // available for CIP level policy evaluation. Note that this only gets // evaluated (and hence fetched) iff at least one authority matches. // The ConfigFile will then be available in this format: // https://github.com/opencontainers/image-spec/blob/main/config.md FetchConfigFile *bool `json:"fetchConfigFile,omitempty"` // IncludeSpec controls whether resource `Spec` will be included and // made available for CIP level policy evaluation. Note that this only gets // evaluated iff at least one authority matches. IncludeSpec *bool `json:"includeSpec,omitempty"` // IncludeObjectMeta controls whether the ObjectMeta will be included and // made available for CIP level policy evalutation. Note that this only gets // evaluated iff at least one authority matches. // +optional IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"` }
type Authority ¶
type Authority struct { // Name is the name for this authority. Used by the CIP Policy // validator to be able to reference matching signature or attestation // verifications. Name string `json:"name"` // +optional Key *KeyRef `json:"key,omitempty"` // +optional Keyless *KeylessRef `json:"keyless,omitempty"` // +optional Static *StaticRef `json:"static,omitempty"` // +optional Sources []v1alpha1.Source `json:"source,omitempty"` // +optional CTLog *v1alpha1.TLog `json:"ctlog,omitempty"` // RemoteOpts are not marshalled because they are an unsupported type // RemoteOpts will be populated by the Authority UnmarshalJSON override // +optional RemoteOpts []ociremote.Option `json:"-"` // +optional Attestations []AttestationPolicy `json:"attestations,omitempty"` }
func (*Authority) SourceSignaturePullSecretsOpts ¶
func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error)
SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts This is not stored in the Authority under RemoteOpts as the namespace can be different
func (*Authority) UnmarshalJSON ¶
UnmarshalJSON populates the authority with the remoteOpts from authority sources
type ClusterImagePolicy ¶
type ClusterImagePolicy struct { // UID of the CIP so we can tell if they've been deleted/recreated UID types.UID `json:"uid,inline"` // ResourceVersion can be used to know if the CIP has been modified ResourceVersion string `json:"resourceVersion"` Images []v1alpha1.ImagePattern `json:"images"` Authorities []Authority `json:"authorities"` // Policy is an optional policy used to evaluate the results of valid // Authorities. Will not get evaluated unless at least one Authority // succeeds. Policy *AttestationPolicy `json:"policy,omitempty"` // Mode controls whether a failing policy will be rejected (not admitted), // or if errors are converted to Warnings. // enforce - Reject (default) // warn - allow but warn // +optional Mode string `json:"mode,omitempty"` // Match allows selecting resources based on their properties. Match []v1alpha1.MatchResource `json:"match,omitempty"` }
ClusterImagePolicy defines the images that go through verification and the authorities used for verification. This is the internal representation of the external v1alpha1.ClusterImagePolicy. KeyRef does not store secretRefs in internal representation. KeyRef does store parsed publicKeys from Data in internal representation.
func ConvertClusterImagePolicyV1alpha1ToWebhook ¶
func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy
type KeyRef ¶
type KeyRef struct { // Data contains the inline public key // +optional Data string `json:"data,omitempty"` // HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set // +optional HashAlgorithm string `json:"hashAlgorithm,omitempty"` // HashAlgorithmCode sets the crypto.Hash code based on the value of HashAlgorithm. // HashAlgorithmCode is not marshalled, but we use the calculated crypto.Hash in the validations // +optional HashAlgorithmCode crypto.Hash `json:"-"` // PublicKeys are not marshalled because JSON unmarshalling // errors for *big.Int // +optional PublicKeys []crypto.PublicKey `json:"-"` }
This references a public verification key stored in a secret in the cosign-system namespace.
func (*KeyRef) UnmarshalJSON ¶
UnmarshalJSON populates the PublicKeys using Data because JSON unmashalling errors for *big.Int