Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

some question about configuration of ClusterImagePolicy for keyless mode #890

Open
yxxchange opened this issue Jul 11, 2023 · 1 comment
Labels
question Further information is requested

Comments

@yxxchange
Copy link

Question

I have already used cosign to perform a keyless signature on an image, and now I want to apply it to a Kubernetes cluster with a policy controller, but I am confused about the configuration of ClusterImagePolicy.
I can cosign verify the image by [email protected] --certificate-oidc-issuer=https://accounts.example.com. But I am not quite sure which fields to fill in the YAML file of the ClusterImagePolicy in order to make my image pass the validation.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: keyless-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - name: keyless
    keyless:
      url: "https://fulcio.sigstore.dev"
    attestations:
    - name: must-have-spdxjson
      predicateType: https://spdx.dev/Document
      policy:
        type: cue
        data: |
          predicateType: "https://spdx.dev/Document"

This example is quite confusing because I have no idea how the images that can pass the validation are signed. Is the URL in the configuration fixed? I just used cosign sign $IMAGE

@yxxchange yxxchange added the question Further information is requested label Jul 11, 2023
@yangkenneth
Copy link

@ElonMuskkkkkk you will probably want to use v1beta1 instead of v1alpha1 for the ClusterImagePolicy; within the documentation you should be able to fine all the associated fields for each attribute you're looking to include.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants