v1alpha1

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 7, 2022 License: Apache-2.0 Imports: 22 Imported by: 1

Documentation

Overview

+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev

Index

Constants

This section is empty.

Variables

View Source 
var (
	// SchemeBuilder builds a scheme with the types known to the package.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme adds the types known to this package to an existing schema.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: policy.GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func ValidateGlob 

func ValidateGlob(g string) *apis.FieldError

ValidateGlob glob compilation by testing against empty string

func ValidateRegex 

func ValidateRegex(regex string) *apis.FieldError

Types

type Attestation 

type Attestation struct {
	// Name of the attestation. These can then be referenced at the CIP level
	// policy.
	Name string `json:"name"`
	// PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.
	PredicateType string `json:"predicateType"`
	// Policy defines all of the matching signatures, and all of
	// the matching attestations (whose attestations are verified).
	// +optional
	Policy *Policy `json:"policy,omitempty"`
}

Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.

func (*Attestation) DeepCopy 

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto 

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Attestation) Validate 

func (a *Attestation) Validate(ctx context.Context) *apis.FieldError

type Authority 

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	// If not specified, the name will be authority-<index in array>
	Name string `json:"name"`
	// Key defines the type of key to validate the image.
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// Keyless sets the configuration to verify the authority against a Fulcio instance.
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// Static specifies that signatures / attestations are not validated but
	// instead a static policy is applied against matching images.
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// Sources sets the configuration to specify the sources from where to consume the signatures.
	// +optional
	Sources []Source `json:"source,omitempty"`
	// CTLog sets the configuration to verify the authority against a Rekor instance.
	// +optional
	CTLog *TLog `json:"ctlog,omitempty"`
	// Attestations is a list of individual attestations for this authority,
	// once the signature for this authority has been verified.
	// +optional
	Attestations []Attestation `json:"attestations,omitempty"`
}

func (*Authority) ConvertFrom 

func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error

func (*Authority) ConvertTo 

func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error

func (*Authority) DeepCopy 

func (in *Authority) DeepCopy() *Authority

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authority.

func (*Authority) DeepCopyInto 

func (in *Authority) DeepCopyInto(out *Authority)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Authority) Validate 

func (authority *Authority) Validate(ctx context.Context) *apis.FieldError

type ClusterImagePolicy 

type ClusterImagePolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Spec holds the desired state of the ClusterImagePolicy (from the client).
	Spec ClusterImagePolicySpec `json:"spec"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicy) ConvertFrom 

func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertible) error

ConvertFrom implements api.Convertible

func (*ClusterImagePolicy) ConvertTo 

func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible) error

ConvertTo implements api.Convertible

func (*ClusterImagePolicy) DeepCopy 

func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicy.

func (*ClusterImagePolicy) DeepCopyInto 

func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicy) DeepCopyObject 

func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterImagePolicy) GetGroupVersionKind 

func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind

GetGroupVersionKind implements kmeta.OwnerRefable

func (*ClusterImagePolicy) SetDefaults 

func (c *ClusterImagePolicy) SetDefaults(ctx context.Context)

SetDefaults implements apis.Defaultable

func (*ClusterImagePolicy) Validate 

func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError

Validate implements apis.Validatable

type ClusterImagePolicyList 

type ClusterImagePolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ClusterImagePolicy `json:"items"`
}

ClusterImagePolicyList is a list of ClusterImagePolicy resources

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

func (*ClusterImagePolicyList) DeepCopy 

func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicyList.

func (*ClusterImagePolicyList) DeepCopyInto 

func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicyList) DeepCopyObject 

func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterImagePolicySpec 

type ClusterImagePolicySpec struct {
	// Images defines the patterns of image names that should be subject to this policy.
	Images []ImagePattern `json:"images"`
	// Authorities defines the rules for discovering and validating signatures.
	// +optional
	Authorities []Authority `json:"authorities,omitempty"`
	// Policy is an optional policy that can be applied against all the
	// successfully validated Authorities. If no authorities pass, this does
	// not even get evaluated, as the Policy is considered failed.
	// +optional
	Policy *Policy `json:"policy,omitempty"`
	// Mode controls whether a failing policy will be rejected (not admitted),
	// or if errors are converted to Warnings.
	// enforce - Reject (default)
	// warn - allow but warn
	// +optional
	Mode string `json:"mode,omitempty"`
	// Match allows selecting resources based on their properties.
	// +optional
	Match []MatchResource `json:"match,omitempty"`
}

ClusterImagePolicySpec defines a list of images that should be verified

func (*ClusterImagePolicySpec) ConvertFrom 

func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1beta1.ClusterImagePolicySpec) error

func (*ClusterImagePolicySpec) ConvertTo 

func (spec *ClusterImagePolicySpec) ConvertTo(ctx context.Context, sink *v1beta1.ClusterImagePolicySpec) error

func (*ClusterImagePolicySpec) DeepCopy 

func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterImagePolicySpec.

func (*ClusterImagePolicySpec) DeepCopyInto 

func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterImagePolicySpec) SetDefaults 

func (spec *ClusterImagePolicySpec) SetDefaults(ctx context.Context)

func (*ClusterImagePolicySpec) Validate 

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError)

type ConfigMapReference 

type ConfigMapReference struct {
	// Name is unique within a namespace to reference a configmap resource.
	// +optional
	Name string `json:"name,omitempty"`
	// Namespace defines the space within which the configmap name must be unique.
	// +optional
	Namespace string `json:"namespace,omitempty"`
}

ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

func (*ConfigMapReference) DeepCopy 

func (in *ConfigMapReference) DeepCopy() *ConfigMapReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.

func (*ConfigMapReference) DeepCopyInto 

func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Identity 

type Identity struct {
	// Issuer defines the issuer for this identity.
	// +optional
	Issuer string `json:"issuer,omitempty"`
	// Subject defines the subject for this identity.
	// +optional
	Subject string `json:"subject,omitempty"`
	// IssuerRegExp specifies a regular expression to match the issuer for this identity.
	// +optional
	IssuerRegExp string `json:"issuerRegExp,omitempty"`
	// SubjectRegExp specifies a regular expression to match the subject for this identity.
	// +optional
	SubjectRegExp string `json:"subjectRegExp,omitempty"`
}

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

func (*Identity) DeepCopy 

func (in *Identity) DeepCopy() *Identity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.

func (*Identity) DeepCopyInto 

func (in *Identity) DeepCopyInto(out *Identity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Identity) Validate 

func (identity *Identity) Validate(ctx context.Context) *apis.FieldError

type ImagePattern 

type ImagePattern struct {
	// Glob defines a globbing pattern.
	Glob string `json:"glob"`
}

ImagePattern defines a pattern and its associated authorties If multiple patterns match a particular image, then ALL of those authorities must be satisfied for the image to be admitted.

func (*ImagePattern) DeepCopy 

func (in *ImagePattern) DeepCopy() *ImagePattern

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePattern.

func (*ImagePattern) DeepCopyInto 

func (in *ImagePattern) DeepCopyInto(out *ImagePattern)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImagePattern) Validate 

func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError

type KeyRef 

type KeyRef struct {
	// SecretRef sets a reference to a secret with the key.
	// +optional
	SecretRef *v1.SecretReference `json:"secretRef,omitempty"`
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// KMS contains the KMS url of the public key
	// Supported formats differ based on the KMS system used.
	// +optional
	KMS string `json:"kms,omitempty"`
	// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
}

This references a public verification key stored in a secret in the cosign-system namespace. A KeyRef must specify only one of SecretRef, Data or KMS

func (*KeyRef) ConvertFrom 

func (key *KeyRef) ConvertFrom(ctx context.Context, source *v1beta1.KeyRef)

func (*KeyRef) ConvertTo 

func (key *KeyRef) ConvertTo(ctx context.Context, sink *v1beta1.KeyRef)

func (*KeyRef) DeepCopy 

func (in *KeyRef) DeepCopy() *KeyRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyRef.

func (*KeyRef) DeepCopyInto 

func (in *KeyRef) DeepCopyInto(out *KeyRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeyRef) Validate 

func (key *KeyRef) Validate(ctx context.Context) *apis.FieldError

type KeylessRef 

type KeylessRef struct {
	// URL defines a url to the keyless instance.
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// Identities sets a list of identities.
	// +optional
	Identities []Identity `json:"identities,omitempty"`
	// CACert sets a reference to CA certificate
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
}

KeylessRef contains location of the validating certificate and the identities against which to verify. KeylessRef will contain either the URL to the verifying certificate, or it will contain the certificate data inline or in a secret.

func (*KeylessRef) DeepCopy 

func (in *KeylessRef) DeepCopy() *KeylessRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessRef.

func (*KeylessRef) DeepCopyInto 

func (in *KeylessRef) DeepCopyInto(out *KeylessRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*KeylessRef) Validate 

func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError

type MatchResource added in v0.4.0 

type MatchResource struct {
	// +optional
	metav1.GroupVersionResource `json:",inline"`
	// +optional
	ResourceSelector *metav1.LabelSelector `json:"selector,omitempty"`
}

MatchResource allows selecting resources based on its version, group and resource. It is also possible to select resources based on a list of matching labels.

func (*MatchResource) ConvertFrom added in v0.4.0 

func (matchResource *MatchResource) ConvertFrom(ctx context.Context, source *v1beta1.MatchResource) error

func (*MatchResource) ConvertTo added in v0.4.0 

func (matchResource *MatchResource) ConvertTo(ctx context.Context, sink *v1beta1.MatchResource) error

func (*MatchResource) DeepCopy added in v0.4.0 

func (in *MatchResource) DeepCopy() *MatchResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResource.

func (*MatchResource) DeepCopyInto added in v0.4.0 

func (in *MatchResource) DeepCopyInto(out *MatchResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*MatchResource) Validate added in v0.4.0 

func (matchResource *MatchResource) Validate(ctx context.Context) *apis.FieldError

type Policy 

type Policy struct {
	// Which kind of policy this is, currently only rego or cue are supported.
	// Furthermore, only cue is tested :)
	Type string `json:"type"`
	// Data contains the policy definition.
	// +optional
	Data string `json:"data,omitempty"`
	// URL to the policy data.
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// ConfigMapRef defines the reference to a configMap with the policy definition.
	// +optional
	ConfigMapRef *ConfigMapReference `json:"configMapRef,omitempty"`
	// FetchConfigFile controls whether ConfigFile will be fetched and made
	// available for CIP level policy evaluation. Note that this only gets
	// evaluated (and hence fetched) iff at least one authority matches.
	// The ConfigFile will then be available in this format:
	// https://github.com/opencontainers/image-spec/blob/main/config.md
	// +optional
	FetchConfigFile *bool `json:"fetchConfigFile,omitempty"`
	// IncludeSpec controls whether resource `Spec` will be included and
	// made available for CIP level policy evaluation. Note that this only gets
	// evaluated iff at least one authority matches.
	// Also note that because Spec may be of a different shape depending
	// on the resource being evaluatied (see MatchResource for filtering)
	// you might want to configure these to match the policy file to ensure
	// the shape of the Spec is what you expect when evaling the policy.
	// +optional
	IncludeSpec *bool `json:"includeSpec,omitempty"`
	// IncludeObjectMeta controls whether the ObjectMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"`
}

Policy specifies a policy to use for Attestation or the CIP validation (iff at least one authority matches). Exactly one of Data, URL, or ConfigMapReference must be specified.

func (*Policy) ConvertFrom added in v0.5.0 

func (p *Policy) ConvertFrom(ctx context.Context, source *v1beta1.Policy)

func (*Policy) ConvertTo added in v0.5.0 

func (p *Policy) ConvertTo(ctx context.Context, sink *v1beta1.Policy)

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Policy) Validate 

func (p *Policy) Validate(ctx context.Context) *apis.FieldError

type Source 

type Source struct {
	// OCI defines the registry from where to pull the signatures.
	// +optional
	OCI string `json:"oci,omitempty"`
	// SignaturePullSecrets is an optional list of references to secrets in the
	// same namespace as the deploying resource for pulling any of the signatures
	// used by this Source.
	// +optional
	SignaturePullSecrets []v1.LocalObjectReference `json:"signaturePullSecrets,omitempty"`
}

Source specifies the location of the signature

func (*Source) DeepCopy 

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto 

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Source) Validate 

func (source *Source) Validate(ctx context.Context) *apis.FieldError

type StaticRef 

type StaticRef struct {
	// Action defines how to handle a matching policy.
	Action string `json:"action"`
}

StaticRef specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.

func (*StaticRef) DeepCopy 

func (in *StaticRef) DeepCopy() *StaticRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticRef.

func (*StaticRef) DeepCopyInto 

func (in *StaticRef) DeepCopyInto(out *StaticRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*StaticRef) Validate 

func (s *StaticRef) Validate(ctx context.Context) *apis.FieldError

type TLog 

type TLog struct {
	// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
	// +optional
	URL *apis.URL `json:"url,omitempty"`
}

TLog specifies the URL to a transparency log that holds the signature and public key information

func (*TLog) DeepCopy 

func (in *TLog) DeepCopy() *TLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLog.

func (*TLog) DeepCopyInto 

func (in *TLog) DeepCopyInto(out *TLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.