No attestations field in ClusterImagePolicy
shawnho1018 opened this issue · comments
Shawnho commented
I followed this sigstore tutorial to produce my ClusterImagePolicy yaml. I received the following error:
cosign % kubectl apply -f cluster-image-policy-1.yaml
error: error validating "cluster-image-policy-1.yaml": error validating data: ValidationError(ClusterImagePolicy.spec.authorities[0]): unknown field "attestations" in dev.sigstore.cosigned.v1alpha1.ClusterImagePolicy.spec.authorities; if you choose to ignore these errors, turn validation off with --validate=false
My clusterimagepolicy yaml is also provided to help reproduced this error.
apiVersion: cosigned.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: image-policy-1
spec:
images:
- regex: ".*"
authorities:
- attestations:
- predicateType: custom
name: customkey
policy:
type: cue
data: |
import "time"
before: time.Parse(time.RFC3339, "2023-01-01T00:00:00Z")
predicateType: "cosign.sigstore.dev/attestation/v1"
predicate: {
Data: "Vulnerability\n"
Timestamp: <before
}
key:
data: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0ABQcDQgAE4rMj/48jzxvqn2NQeNyr97go3YVm
rnu1GUmsJDoAhbmurg5xMBxMIUBDGiiIfD8S2VvQ7MRVXKyXxipGartSng==
-----END PUBLIC KEY-----
My installation used helm chart and the version is 1.8.0 and my installation script is also shown below
cosign % helm list -n cosign-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
cosigned cosign-system 1 2022-05-09 01:17:36.318565 +0800 CST deployed cosigned-0.1.18 1.8.0
# installation script
kubectl create namespace cosign-system
kubectl create secret generic mysecret -n cosign-system \
--from-file=cosign.pub=./cosign.pub \
--from-file=cosign.key=./cosign.key \
--from-literal=cosign.password=${COSIGN_PASSWORD}
I also checked the the source clusterimagepolicy_type.go and I don't think the yaml file is wrong. Any advice is highly appreciated. I also opened a bug in sigstore/cosign
Hector Fernandez commented
@shawnho1018 Thanks for opening the issue. I added the new fields to the CRD.