{ "description": "The ImageConfig resource is used to configure settings for package images.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "ImageConfigSpec contains the configuration for matching images.", "properties": { "matchImages": { "description": "MatchImages is a list of image matching rules. This ImageConfig will\nmatch an image if any one of these rules is satisfied. In the case where\nmultiple ImageConfigs match an image for a given purpose the one with the\nmost specific match will be used. If multiple rules of equal specificity\nmatch an arbitrary one will be selected.", "items": { "description": "ImageMatch defines a rule for matching image.", "properties": { "prefix": { "description": "Prefix is the prefix that should be matched. When multiple prefix rules\nmatch an image path, the longest one takes precedence.", "type": "string" }, "type": { "default": "Prefix", "description": "Type is the type of match.", "enum": [ "Prefix" ], "type": "string" } }, "required": [ "prefix" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-validations": [ { "message": "matchImages should have at least one element.", "rule": "size(self) > 0" } ] }, "registry": { "description": "Registry is the configuration for the registry.", "properties": { "authentication": { "description": "Authentication is the authentication information for the registry.", "properties": { "pullSecretRef": { "description": "PullSecretRef is a reference to a secret that contains the credentials for\nthe registry.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "pullSecretRef" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "rewriteImage": { "description": "RewriteImage defines how a matched image's path should be rewritten.", "properties": { "prefix": { "description": "Prefix is the prefix that will replace the portion of the image's path\nmatched by the prefix in the ImageMatch. If multiple prefixes matched,\nthe longest one will be replaced.", "type": "string" } }, "required": [ "prefix" ], "type": "object", "additionalProperties": false }, "verification": { "description": "Verification contains the configuration for verifying the image.", "properties": { "cosign": { "description": "Cosign is the configuration for verifying the image using cosign.", "properties": { "authorities": { "description": "Authorities defines the rules for discovering and validating signatures.", "items": { "description": "CosignAuthority defines the rules for discovering and validating signatures.", "properties": { "attestations": { "description": "Attestations is a list of individual attestations for this authority,\nonce the signature for this authority has been verified.", "items": { "description": "Attestation defines the type of attestation to validate and optionally\napply a policy decision to it. Authority block is used to verify the\nspecified attestation types, and if Policy is specified, then it's applied\nonly after the validation of the Attestation signature has been verified.", "properties": { "name": { "description": "Name of the attestation.", "type": "string" }, "predicateType": { "description": "PredicateType defines which predicate type to verify. Matches cosign\nverify-attestation options.", "type": "string" } }, "required": [ "name", "predicateType" ], "type": "object", "additionalProperties": false }, "type": "array" }, "key": { "description": "Key defines the type of key to validate the image.", "properties": { "hashAlgorithm": { "default": "sha256", "description": "HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set", "type": "string" }, "secretRef": { "description": "SecretRef sets a reference to a secret with the key.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false } }, "required": [ "hashAlgorithm", "secretRef" ], "type": "object", "additionalProperties": false }, "keyless": { "description": "Keyless sets the configuration to verify the authority against a Fulcio\ninstance.", "properties": { "identities": { "description": "Identities sets a list of identities.", "items": { "description": "Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.", "properties": { "issuer": { "description": "Issuer defines the issuer for this identity.", "type": "string" }, "issuerRegExp": { "description": "IssuerRegExp specifies a regular expression to match the issuer for this identity.\nThis has precedence over the Issuer field.", "type": "string" }, "subject": { "description": "Subject defines the subject for this identity.", "type": "string" }, "subjectRegExp": { "description": "SubjectRegExp specifies a regular expression to match the subject for this identity.\nThis has precedence over the Subject field.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "insecureIgnoreSCT": { "description": "InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT", "type": "boolean" } }, "required": [ "identities" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name for this authority.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "authorities" ], "type": "object", "additionalProperties": false }, "provider": { "description": "Provider is the provider that should be used to verify the image.", "enum": [ "Cosign" ], "type": "string" } }, "required": [ "provider" ], "type": "object", "additionalProperties": false } }, "required": [ "matchImages" ], "type": "object", "additionalProperties": false } }, "type": "object" }