clusterimagepolicy

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2023 License: Apache-2.0 Imports: 17 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AttestationPolicy

type AttestationPolicy struct {
	// Name of the Attestation
	Name string `json:"name"`
	// PredicateType to attest, one of the accepted in verify-attestation
	PredicateType string `json:"predicateType"`
	// Type specifies how to evaluate policy, only rego/cue are understood.
	Type string `json:"type,omitempty"`
	// Data is the inlined version of the Policy used to evaluate the
	// Attestation.
	Data string `json:"data,omitempty"`
	// FetchConfigFile controls whether ConfigFile will be fetched and made
	// available for CIP level policy evaluation. Note that this only gets
	// evaluated (and hence fetched) iff at least one authority matches.
	// The ConfigFile will then be available in this format:
	// https://github.com/opencontainers/image-spec/blob/main/config.md
	FetchConfigFile *bool `json:"fetchConfigFile,omitempty"`
	// IncludeSpec controls whether resource `Spec` will be included and
	// made available for CIP level policy evaluation. Note that this only gets
	// evaluated iff at least one authority matches.
	IncludeSpec *bool `json:"includeSpec,omitempty"`
	// IncludeObjectMeta controls whether the ObjectMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"`
	// IncludeTypeMeta controls whether the TypeMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeTypeMeta *bool `json:"includeTypeMeta,omitempty"`
}

type Authority

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	Name string `json:"name"`
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// +optional
	Sources []v1alpha1.Source `json:"source,omitempty"`
	// +optional
	CTLog *v1alpha1.TLog `json:"ctlog,omitempty"`
	// RemoteOpts are not marshalled because they are an unsupported type
	// RemoteOpts will be populated by the Authority UnmarshalJSON override
	// +optional
	RemoteOpts []ociremote.Option `json:"-"`
	// +optional
	Attestations []AttestationPolicy `json:"attestations,omitempty"`
	// +optional
	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
}

func (*Authority) SourceSignaturePullSecretsOpts

func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error)

SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts This is not stored in the Authority under RemoteOpts as the namespace can be different

func (*Authority) UnmarshalJSON

func (a *Authority) UnmarshalJSON(data []byte) error

UnmarshalJSON populates the authority with the remoteOpts from authority sources

type ClusterImagePolicy

type ClusterImagePolicy struct {
	// UID of the CIP so we can tell if they've been deleted/recreated
	UID types.UID `json:"uid,inline"`
	// ResourceVersion can be used to know if the CIP has been modified
	ResourceVersion string `json:"resourceVersion"`

	Images      []v1alpha1.ImagePattern `json:"images"`
	Authorities []Authority             `json:"authorities"`
	// Policy is an optional policy used to evaluate the results of valid
	// Authorities. Will not get evaluated unless at least one Authority
	// succeeds.
	Policy *AttestationPolicy `json:"policy,omitempty"`
	// Mode controls whether a failing policy will be rejected (not admitted),
	// or if errors are converted to Warnings.
	// enforce - Reject (default)
	// warn - allow but warn
	// +optional
	Mode string `json:"mode,omitempty"`
	// Match allows selecting resources based on their properties.
	Match []v1alpha1.MatchResource `json:"match,omitempty"`
}

ClusterImagePolicy defines the images that go through verification and the authorities used for verification. This is the internal representation of the external v1alpha1.ClusterImagePolicy. KeyRef does not store secretRefs in internal representation. KeyRef does store parsed publicKeys from Data in internal representation.

func ConvertClusterImagePolicyV1alpha1ToWebhook

func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy

type KeyRef

type KeyRef struct {
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
	// HashAlgorithmCode sets the crypto.Hash code based on the value of HashAlgorithm.
	// HashAlgorithmCode is not marshalled, but we use the calculated crypto.Hash in the validations
	// +optional
	HashAlgorithmCode crypto.Hash `json:"-"`
	// PublicKeys are not marshalled because JSON unmarshalling
	// errors for *big.Int
	// +optional
	PublicKeys []crypto.PublicKey `json:"-"`
}

This references a public verification key stored in a secret in the cosign-system namespace.

func (*KeyRef) UnmarshalJSON

func (k *KeyRef) UnmarshalJSON(data []byte) error

UnmarshalJSON populates the PublicKeys using Data because JSON unmashalling errors for *big.Int

type KeylessRef

type KeylessRef struct {
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// +optional
	Identities []v1alpha1.Identity `json:"identities,omitempty"`
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
	// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
	// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
	// +optional
	InsecureIgnoreSCT *bool `json:"insecureIgnoreSCT,omitempty"`
}

type RFC3161Timestamp added in v0.6.0

type RFC3161Timestamp struct {
	// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature

type StaticRef

type StaticRef struct {
	Action  string `json:"action"`
	Message string `json:"message,omitempty"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL