-
Notifications
You must be signed in to change notification settings - Fork 500
/
config-image-policies.yaml
127 lines (125 loc) · 3.9 KB
/
config-image-policies.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: config-image-policies
namespace: cosign-system
labels:
cosigned.sigstore.dev/release: devel
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
cluster-image-policy-0: |
images:
- glob: rando
authorities:
- name: attestation-0
key:
data: inlinedata here
- name: attestation-1
key:
kms: whatevs
cluster-image-policy-1: |
images:
- glob: randomstuff*
authorities:
- name: attestation-0
key:
data: otherinline here
cluster-image-policy-2: |
images:
- glob: rando3
authorities:
- name: attestation-0
keyless:
ca-cert:
data: cacert chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
cluster-image-policy-3: |
images:
- glob: inlinecert
authorities:
- name: attestation-0
key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-4: |
images:
- regex: .*regexstring.*
authorities:
- name: attestation-0
key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-5: |
images:
- regex: .*regexstringtoo.*
authorities:
- name: attestation-0
key:
data: inlinedata here
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"
cluster-image-policy-with-policy-attestations: |
images:
- glob: withattestations
authorities:
- name: attestation-0
keyless:
ca-cert:
data: cacert chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
attestations:
- predicateType: vuln
type: cue
data: "test-cue-here"
policy:
type: cue
data: "cip level cue here"
cluster-image-policy-source-oci: |
images:
- regex: .*sourceocionly.*
authorities:
- name: attestation-0
key:
data: inlinedata here
source:
- oci: "example.registry.com/alternative/signature"
cluster-image-policy-source-oci-signature-pull-secrets: |
images:
- regex: .*sourceocisignaturepullsecrets.*
authorities:
- name: attestation-0
key:
data: inlinedata here
source:
- oci: "example.registry.com/alternative/signature"
signaturePullSecrets:
- name: examplePullSecret