Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ContainerHelper ¶ added in v1.4.0
type ExperimentalK8SConfig ¶ added in v1.6.0
type ExperimentalK8SConfig struct { // Sigstore contains sigstore specific configs. Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"` }
type HCLConfig ¶
type HCLConfig struct { // KubeletReadOnlyPort defines the read only port for the kubelet // (typically 10255). This option is mutually exclusive with // KubeletSecurePort. KubeletReadOnlyPort int `hcl:"kubelet_read_only_port"` // KubeletSecurePort defines the secure port for the kubelet (typically // 10250). This option is mutually exclusive with KubeletReadOnlyPort. KubeletSecurePort int `hcl:"kubelet_secure_port"` // MaxPollAttempts is the maximum number of polling attempts for the // container hosting the workload process. MaxPollAttempts int `hcl:"max_poll_attempts"` // PollRetryInterval is the time in between polling attempts. PollRetryInterval string `hcl:"poll_retry_interval"` // KubeletCAPath is the path to the CA certificate for authenticating the // kubelet over the secure port. Required when using the secure port unless // SkipKubeletVerification is set. Defaults to the cluster trust bundle. KubeletCAPath string `hcl:"kubelet_ca_path"` // SkipKubeletVerification controls whether or not the plugin will // verify the certificate presented by the kubelet. SkipKubeletVerification bool `hcl:"skip_kubelet_verification"` // TokenPath is the path to the bearer token used to authenticate to the // secure port. Defaults to the default service account token path unless // PrivateKeyPath and CertificatePath are specified. TokenPath string `hcl:"token_path"` // CertificatePath is the path to a certificate key used for client // authentication with the kubelet. Must be used with PrivateKeyPath. CertificatePath string `hcl:"certificate_path"` // PrivateKeyPath is the path to a private key used for client // authentication with the kubelet. Must be used with CertificatePath. PrivateKeyPath string `hcl:"private_key_path"` // UseAnonymousAuthentication controls whether or not communication to the // kubelet over the secure port is unauthenticated. This option is mutually // exclusive with other authentication configuration fields TokenPath, // CertificatePath, and PrivateKeyPath. UseAnonymousAuthentication bool `hcl:"use_anonymous_authentication"` // NodeNameEnv is the environment variable used to determine the node name // for contacting the kubelet. It defaults to "MY_NODE_NAME". If the // environment variable is not set, and NodeName is not specified, the // plugin will default to localhost (which requires host networking). NodeNameEnv string `hcl:"node_name_env"` // NodeName is the node name used when contacting the kubelet. If set, it // takes precedence over NodeNameEnv. NodeName string `hcl:"node_name"` // ReloadInterval controls how often TLS and token configuration is loaded // from the disk. ReloadInterval string `hcl:"reload_interval"` // DisableContainerSelectors disables the gathering of selectors for the // specific container running the workload. This allows attestation to // succeed with just pod related selectors when the workload pod is known // but the container may not be in a ready state at the time of attestation // (e.g. when a postStart hook has yet to complete). DisableContainerSelectors bool `hcl:"disable_container_selectors"` // UseNewContainerLocator, if true, uses the new container locator // mechanism instead of the legacy cgroup matchers. Defaults to false if // unset. This will default to true in a future release. UseNewContainerLocator *bool `hcl:"use_new_container_locator"` // VerboseContainerLocatorLogs, if true, dumps extra information to the log // about mountinfo and cgroup information used to locate the container. VerboseContainerLocatorLogs bool `hcl:"verbose_container_locator_logs"` // Experimental enables experimental features. Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"` }
HCLConfig holds the configuration parsed from HCL
type Plugin ¶
type Plugin struct { workloadattestorv1.UnsafeWorkloadAttestorServer configv1.UnsafeConfigServer // contains filtered or unexported fields }
func (*Plugin) Attest ¶
func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error)
func (*Plugin) Configure ¶
func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error)
type SigstoreHCLConfig ¶ added in v1.6.0
type SigstoreHCLConfig struct { // EnforceSCT is the parameter to be set as false in case of a private deployment not using the public CT EnforceSCT *bool `hcl:"enforce_sct, omitempty"` // RekorURL is the URL for the rekor server to use to verify signatures and public keys RekorURL *string `hcl:"rekor_url,omitempty"` // SkippedImages is a list of images that should skip sigstore verification SkippedImages []string `hcl:"skip_signature_verification_image_list"` // AllowedSubjects is a list of subjects that should be allowed after verification AllowedSubjects map[string][]string `hcl:"allowed_subjects_list"` }
SigstoreHCLConfig holds the sigstore configuration parsed from HCL
Click to show internal directories.
Click to hide internal directories.