feat: image verification policy CRD #70
Conversation
| ) object map[string]interface{} | ||
| ``` | ||
|
|
||
| ### ParseImageReference |
There was a problem hiding this comment.
Can you provide examples of its usage?
| #### VerifyImageSignatures | ||
| ```go | ||
| verifyImageSignatures( | ||
| image string, # must be a valid image, |
There was a problem hiding this comment.
I think if the user wants to use a list, they can do it using CEL's map function
| ```yaml | ||
| verifications: | ||
| - expression: >- | ||
| verifyImageSignatures(images.initContainers[0], attestors.kms) |
There was a problem hiding this comment.
Typically users will want to verify all images in a pod are signed with an attestor and may want to exclude a certain references e.g. docker.io/istio*.
How would they do that?
There was a problem hiding this comment.
they can run the map CEL function on images.all, and define docker.io/istio* in the matchRules. The policy skips all the images that do not match the matchImages block.
All the images in the images.all array, that do not match the glob docker.io/istio* will be skipped
| - expression: >- | ||
| payload(images.initContainers[0], attestations.sbom).builderId == "foo" | ||
| && | ||
| payload(images.initContainers[0], attestations.slsa).version == "0.2" |
There was a problem hiding this comment.
Can you provide a more detailed example? Something similar to:
https://github.com/kyverno/demos/blob/main/image_verification/check_attestations.yaml
Signed-off-by: Vishal Choudhary <[email protected]>
This document proposes the new design for image verification policies.