Skip to content

Commit

Permalink
Merge pull request #59 from kubewarden/update-questions
Browse files Browse the repository at this point in the history 
Tag 0.2.2
  • Loading branch information
@flavio
flavio authored Feb 21, 2023
2 parents bf2c725 + 87c3619 commit beb9b09
Show file tree
Hide file tree
Showing 4 changed files with 312 additions and 98 deletions.
2 changes: 1 addition & 1 deletion Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "verify-image-signatures"
version = "0.2.1"
version = "0.2.2"
authors = ["raulcabello <[email protected]>","viccuad <[email protected]>"]
edition = "2018"

Expand Down
207 changes: 157 additions & 50 deletions artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
---
version: 0.2.1
version: 0.2.2
name: verify-image-signatures
displayName: Verify Image Signatures
createdAt: '2023-01-19T14:46:21+02:00'
createdAt: '2023-02-17T16:14:24+00:00'
description: A Kubewarden Policy that verifies all the signatures of the container
images referenced by a Pod
license: Apache-2.0
homeURL: https://github.com/kubewarden/verify-image-signatures
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.1
image: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.2
keywords:
- pod
- signature
- sigstore
- trusted
links:
- name: policy
url: https://github.com/kubewarden/verify-image-signatures/releases/download/v0.2.1/policy.wasm
url: https://github.com/kubewarden/verify-image-signatures/releases/download/v0.2.2/policy.wasm
- name: source
url: https://github.com/kubewarden/verify-image-signatures
provider:
Expand Down Expand Up @@ -48,7 +48,18 @@ annotations:
hide_input: true
type: string
variable: description
- default: PublicKey
- default: true
tooltip: >-
This policy also mutates matching images to add the image digest, therefore
the version of the deployed image can't change. This mutation can be
disabled by setting modifyImagesWithDigest to false.
group: Settings
label: modifyImagesWithDigest
required: false
title: Modify images with digest
type: boolean
variable: modifyImagesWithDigest
- default: GithubAction
description: >-
The policy takes a list of signatures. A signature can be of two types:
public key or keyless. Each signature has an image field which will be used
Expand All @@ -58,86 +69,182 @@ annotations:
group: Settings
label: Signature Type
options:
- PublicKey
- GithubAction
- KeylessPrefix
- Keyless
- PublicKey
- Certificate
required: false
type: enum
variable: rule
- default: []
description: ''
group: Settings
label: Public key signature
show_if: rule=PublicKey
hide_input: true
type: map[
description: >-
Github action will verify that all images were signed for a GitHub action by the owner and repo properties
label: Github Actions signature
show_if: rule=GithubAction
type: sequence[
variable: signatures
subquestions:
sequence_questions:
- default: ''
group: Settings
label: Image
show_if: rule=PublicKey
show_if: rule=GithubAction
type: string
variable: signatures.image
- default: [""]
required: true
variable: image
- default: {}
label: Github Actions
show_if: rule=GithubAction
hide_input: true
type: map[
variable: githubActions
subquestions:
- default: ''
group: Settings
label: Owner
show_if: rule=GithubAction
type: string
required: true
variable: githubActions.owner
- default: ''
group: Settings
label: Repo
show_if: rule=GithubAction
type: string
variable: githubActions.repo
- default: []
description: >-
Keyless subject prefix. It will verify that the issuer and that the urlPrefix is sanitized to prevent typosquatting.
label: Keyless Subject Prefix
show_if: rule=KeylessPrefix
type: sequence[
variable: signatures
sequence_questions:
- default: ''
group: Settings
label: Public keys
show_if: rule=PublicKey
type: array[
variable: signatures.pubKeys
label: Image
show_if: rule=KeylessPrefix
type: string
required: true
variable: image
- default: []
group: Settings
label: Annotations
show_if: rule=PublicKey
type: map[
variable: signatures.annotations
label: Keyless Prefix
show_if: rule=KeylessPrefix
hide_input: true
type: sequence[
variable: keylessPrefix
sequence_questions:
- default: ''
group: Settings
label: Issuer
show_if: rule=KeylessPrefix
type: string
required: true
variable: issuer
- default: ''
group: Settings
label: URL Prefix
show_if: rule=KeylessPrefix
type: string
variable: urlPrefix
- default: []
group: Settings
label: Keyless signature
description: >-
It will verify that the issuer and the subject are an exact match. It will not modify the image with the digest.
label: Keyless Exact Match
show_if: rule=Keyless
hide_input: true
type: map[
type: sequence[
variable: signatures
subquestions:
sequence_questions:
- default: ''
group: Settings
label: Image
show_if: rule=Keyless
type: string
variable: signatures.image
required: true
variable: image
- default: []
group: Settings
label: Keyless
hide_input: true
show_if: rule=Keyless
type: map[
variable: signatures.keyless
subquestions:
hide_input: true
type: sequence[
variable: keyless
sequence_questions:
- default: ''
group: Settings
label: Issuer
show_if: rule=Keyless
type: string
variable: signatures.keyless.issuer
required: true
variable: issuer
- default: ''
group: Settings
label: Subject
show_if: rule=Keyless
type: string
variable: signatures.keyless.subject
variable: subject
- default: []
description: >-
It will verify that all images are signed with the supplied public keys, and contains the annotation if provided.
group: Settings
label: Public Key
show_if: rule=PublicKey
hide_input: true
type: sequence[
variable: signatures
sequence_questions:
- default: ''
group: Settings
label: Image
show_if: rule=PublicKey
type: string
required: true
variable: image
- default: []
group: Settings
label: Public keys
show_if: rule=PublicKey
type: array[
value_multiline: true
variable: pubKeys
- default: {}
group: Settings
label: Annotations
show_if: rule=Keyless
show_if: rule=PublicKey
type: map[
variable: signatures.annotations
- default: true
tooltip: >-
This policy also mutates matching images to add the image digest, therefore
the version of the deployed image can't change. This mutation can be
disabled by setting modifyImagesWithDigest to false.
variable: annotations
- default: []
description: >-
It will verify that the image has been signed using all the certificates provided. The certificates must be PEM encoded. Optionally the settings can have the list of PEM encoded certificates that can create the certificateChain used to verify the given certificate. The requireRekorBundle should be set to true to have a stronger verification process. When set to true, the signature must have a Rekor bundle and the signature must have been created during the validity time frame of the certificate.
group: Settings
label: modifyImagesWithDigest
required: false
title: Modify images with digest
type: boolean
variable: modifyImagesWithDigest
label: Certificate
show_if: rule=Certificate
hide_input: true
type: sequence[
variable: signatures
sequence_questions:
- default: ''
group: Settings
label: Image
show_if: rule=Certificate
type: string
required: true
variable: image
- default: []
group: Settings
label: Public keys
show_if: rule=Certificate
type: array[
value_multiline: true
variable: certificates
- default: true
group: Settings
label: Require Rekor Bundle
show_if: rule=Certificate
type: boolean
variable: requireRekorBundle
- default: {}
group: Settings
label: Annotations
show_if: rule=Certificate
type: map[
variable: annotations
Loading

0 comments on commit beb9b09

Please sign in to comment.