policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

some question about configuration of ClusterImagePolicy for keyless mode

Open yxxchange opened this issue 1 year ago • 1 comments

Question

I have already used cosign to perform a keyless signature on an image, and now I want to apply it to a Kubernetes cluster with a policy controller, but I am confused about the configuration of ClusterImagePolicy. I can cosign verify the image by [email protected] --certificate-oidc-issuer=https://accounts.example.com. But I am not quite sure which fields to fill in the YAML file of the ClusterImagePolicy in order to make my image pass the validation.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: keyless-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - name: keyless
    keyless:
      url: "https://fulcio.sigstore.dev"
    attestations:
    - name: must-have-spdxjson
      predicateType: https://spdx.dev/Document
      policy:
        type: cue
        data: |
          predicateType: "https://spdx.dev/Document"

This example is quite confusing because I have no idea how the images that can pass the validation are signed. Is the URL in the configuration fixed? I just used cosign sign $IMAGE

yxxchange avatar Jul 11 '23 03:07 yxxchange

@ElonMuskkkkkk you will probably want to use v1beta1 instead of v1alpha1 for the ClusterImagePolicy; within the documentation you should be able to fine all the associated fields for each attribute you're looking to include.

yangkenneth avatar Aug 08 '23 21:08 yangkenneth