ContextQMD
Back to Talos

ImageVerificationConfig

website/content/v1.13/reference/configuration/security/imageverificationconfig.md

1.13.03.6 KB
Original Source
<!-- markdownlint-disable -->

{{< highlight yaml >}} apiVersion: v1alpha1 kind: ImageVerificationConfig

List of verification rules.

rules: - image: registry.k8s.io/* # Image reference pattern to match for this rule. # Keyless verifier configuration to use for this rule. keyless: issuer: https://accounts.google.com # OIDC issuer URL for keyless verification. subject: [email protected] # Expected subject for keyless verification.

    # # Regex pattern for subject matching.
    # subjectRegex: .*@example\.com
- image: my-registry/* # Image reference pattern to match for this rule.
  # Public key verifier configuration to use for this rule.
  publicKey:
    certificate: |- # A public certificate in PEM format accepted for image signature verification.
        -----BEGIN CERTIFICATE-----
        MII--Sample Value--
        -----END CERTIFICATE-----
- image: locahost:3000/* # Image reference pattern to match for this rule.
  deny: true # Deny pulling images matching the pattern (default: false).

{{< /highlight >}}

FieldTypeDescriptionValue(s)
rules<a href="#ImageVerificationConfig.rules.">[]ImageVerificationRuleV1Alpha1</a>List of verification rules.
Rules are evaluated in order; first matching rule applies.

rules[] {#ImageVerificationConfig.rules.}

ImageVerificationRuleV1Alpha1 defines a verification rule.

FieldTypeDescriptionValue(s)
imagestringImage reference pattern to match for this rule.
Supports glob patterns. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
image: docker.io/library/nginx
{{< /highlight >}}{{< highlight yaml >}}
image: registry.k8s.io/*
{{< /highlight >}}</details>
skipboolSkip verification for this image pattern (default: false).
denyboolDeny pulling images matching the pattern (default: false).
keyless<a href="#ImageVerificationConfig.rules..keyless">ImageKeylessVerifierV1Alpha1</a>Keyless verifier configuration to use for this rule.
publicKey<a href="#ImageVerificationConfig.rules..publicKey">ImagePublicKeyVerifierV1Alpha1</a>Public key verifier configuration to use for this rule.

keyless {#ImageVerificationConfig.rules..keyless}

ImageKeylessVerifierV1Alpha1 configures a signature verification provider using Cosign keyless verification.

FieldTypeDescriptionValue(s)
issuerstringOIDC issuer URL for keyless verification. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
issuer: https://accounts.google.com
{{< /highlight >}}{{< highlight yaml >}}
issuer: https://token.actions.githubusercontent.com
{{< /highlight >}}</details>
subjectstringExpected subject for keyless verification.

This is the identity (email, URI) that signed the image. | | |subjectRegex |string |Regex pattern for subject matching.

Use this instead of subject for flexible matching. <details><summary>Show example(s)</summary>{{< highlight yaml >}} subjectRegex: .*@example.com {{< /highlight >}}</details> | |

publicKey {#ImageVerificationConfig.rules..publicKey}

ImagePublicKeyVerifierV1Alpha1 configures a signature verification provider using a static public key.

FieldTypeDescriptionValue(s)
certificatestringA public certificate in PEM format accepted for image signature verification.