clusterimagepolicy

package

v0.13.1 Latest Latest Go to latest Published: Sep 2, 2025 License: Apache-2.0 Imports: 18 Imported by: 2

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/policy-controller

Links

Open Source Insights

Documentation ¶

Index ¶

type AttestationPolicy
type Authority
- func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error)
- func (a *Authority) UnmarshalJSON(data []byte) error
type ClusterImagePolicy
- func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy
type KeyRef
- func (k *KeyRef) UnmarshalJSON(data []byte) error
type KeylessRef
type RFC3161Timestamp
type StaticRef

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AttestationPolicy ¶

type AttestationPolicy struct {
	// Name of the Attestation
	Name string `json:"name"`
	// PredicateType to attest, one of the accepted in verify-attestation
	PredicateType string `json:"predicateType"`
	// Type specifies how to evaluate policy, only rego/cue are understood.
	Type string `json:"type,omitempty"`
	// Data is the inlined version of the Policy used to evaluate the
	// Attestation.
	Data string `json:"data,omitempty"`
	// FetchConfigFile controls whether ConfigFile will be fetched and made
	// available for CIP level policy evaluation. Note that this only gets
	// evaluated (and hence fetched) iff at least one authority matches.
	// The ConfigFile will then be available in this format:
	// https://github.com/opencontainers/image-spec/blob/main/config.md
	FetchConfigFile *bool `json:"fetchConfigFile,omitempty"`
	// IncludeSpec controls whether resource `Spec` will be included and
	// made available for CIP level policy evaluation. Note that this only gets
	// evaluated iff at least one authority matches.
	IncludeSpec *bool `json:"includeSpec,omitempty"`
	// IncludeObjectMeta controls whether the ObjectMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeObjectMeta *bool `json:"includeObjectMeta,omitempty"`
	// IncludeTypeMeta controls whether the TypeMeta will be included and
	// made available for CIP level policy evalutation. Note that this only gets
	// evaluated iff at least one authority matches.
	// +optional
	IncludeTypeMeta *bool `json:"includeTypeMeta,omitempty"`
}

type Authority ¶

type Authority struct {
	// Name is the name for this authority. Used by the CIP Policy
	// validator to be able to reference matching signature or attestation
	// verifications.
	Name string `json:"name"`
	// +optional
	Key *KeyRef `json:"key,omitempty"`
	// +optional
	Keyless *KeylessRef `json:"keyless,omitempty"`
	// +optional
	Static *StaticRef `json:"static,omitempty"`
	// +optional
	Sources []v1alpha1.Source `json:"source,omitempty"`
	// +optional
	CTLog *v1alpha1.TLog `json:"ctlog,omitempty"`
	// RemoteOpts are not marshalled because they are an unsupported type
	// RemoteOpts will be populated by the Authority UnmarshalJSON override
	// +optional
	RemoteOpts []ociremote.Option `json:"-"`
	// +optional
	Attestations []AttestationPolicy `json:"attestations,omitempty"`
	// +optional
	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
	// +optional
	SignatureFormat string `json:"signatureFormat,omitempty"`
}

func (*Authority) SourceSignaturePullSecretsOpts ¶

func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context, namespace string) ([]ociremote.Option, error)

SourceSignaturePullSecretsOpts creates the signaturePullSecrets remoteOpts This is not stored in the Authority under RemoteOpts as the namespace can be different

func (*Authority) UnmarshalJSON ¶

func (a *Authority) UnmarshalJSON(data []byte) error

UnmarshalJSON populates the authority with the remoteOpts from authority sources

type ClusterImagePolicy ¶

type ClusterImagePolicy struct {
	// UID of the CIP so we can tell if they've been deleted/recreated
	UID types.UID `json:"uid,inline"`
	// ResourceVersion can be used to know if the CIP has been modified
	ResourceVersion string `json:"resourceVersion"`

	Images      []v1alpha1.ImagePattern `json:"images"`
	Authorities []Authority             `json:"authorities"`
	// Policy is an optional policy used to evaluate the results of valid
	// Authorities. Will not get evaluated unless at least one Authority
	// succeeds.
	Policy *AttestationPolicy `json:"policy,omitempty"`
	// Mode controls whether a failing policy will be rejected (not admitted),
	// or if errors are converted to Warnings.
	// enforce - Reject (default)
	// warn - allow but warn
	// +optional
	Mode string `json:"mode,omitempty"`
	// Match allows selecting resources based on their properties.
	Match []v1alpha1.MatchResource `json:"match,omitempty"`
}

ClusterImagePolicy defines the images that go through verification and the authorities used for verification. This is the internal representation of the external v1alpha1.ClusterImagePolicy. KeyRef does not store secretRefs in internal representation. KeyRef does store parsed publicKeys from Data in internal representation.

func ConvertClusterImagePolicyV1alpha1ToWebhook ¶

func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImagePolicy) *ClusterImagePolicy

type KeyRef ¶

type KeyRef struct {
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
	// HashAlgorithmCode sets the crypto.Hash code based on the value of HashAlgorithm.
	// HashAlgorithmCode is not marshalled, but we use the calculated crypto.Hash in the validations
	// +optional
	HashAlgorithmCode crypto.Hash `json:"-"`
	// PublicKeys are not marshalled because JSON unmarshalling
	// errors for *big.Int
	// +optional
	PublicKeys []crypto.PublicKey `json:"-"`
}

This references a public verification key stored in a secret in the cosign-system namespace.

func (*KeyRef) UnmarshalJSON ¶

func (k *KeyRef) UnmarshalJSON(data []byte) error

UnmarshalJSON populates the PublicKeys using Data because JSON unmashalling errors for *big.Int

type KeylessRef ¶

type KeylessRef struct {
	// +optional
	URL *apis.URL `json:"url,omitempty"`
	// +optional
	Identities []v1alpha1.Identity `json:"identities,omitempty"`
	// +optional
	CACert *KeyRef `json:"ca-cert,omitempty"`
	// Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
	// InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
	// +optional
	InsecureIgnoreSCT *bool `json:"insecureIgnoreSCT,omitempty"`
}

type RFC3161Timestamp ¶ added in v0.6.0

type RFC3161Timestamp struct {
	// Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
	// +optional
	TrustRootRef string `json:"trustRootRef,omitempty"`
}

RFC3161Timestamp specifies the URL to a RFC3161 time-stamping server that holds the time-stamped verification for the signature

type StaticRef ¶

type StaticRef struct {
	Action  string `json:"action"`
	Message string `json:"message,omitempty"`
}

Source Files ¶

View all Source files

clusterimagepolicy_types.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL