some question about configuration of ClusterImagePolicy for keyless mode

Question

some question about configuration of ClusterImagePolicy for keyless mode

yxxchange opened this issue a year ago · comments

Question

I have already used cosign to perform a keyless signature on an image, and now I want to apply it to a Kubernetes cluster with a policy controller, but I am confused about the configuration of ClusterImagePolicy.
I can cosign verify the image by --certificate-identity=name@example.com --certificate-oidc-issuer=https://accounts.example.com. But I am not quite sure which fields to fill in the YAML file of the ClusterImagePolicy in order to make my image pass the validation.

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: keyless-attestation-sbom-spdxjson
spec:
  images:
  - glob: "**"
  authorities:
  - name: keyless
    keyless:
      url: "https://fulcio.sigstore.dev"
    attestations:
    - name: must-have-spdxjson
      predicateType: https://spdx.dev/Document
      policy:
        type: cue
        data: |
          predicateType: "https://spdx.dev/Document"

This example is quite confusing because I have no idea how the images that can pass the validation are signed. Is the URL in the configuration fixed? I just used cosign sign $IMAGE

Kenneth Yang · Answer 1 · Wed Aug 09 2023 05:02:56 GMT+0800 (China Standard Time)

@ElonMuskkkkkk you will probably want to use v1beta1 instead of v1alpha1 for the ClusterImagePolicy; within the documentation you should be able to fine all the associated fields for each attribute you're looking to include.