tekton.dev / v1alpha1 / VerificationPolicy

• string

  .apiVersion

  APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

• string

  .kind

  Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

• object

  .metadata

• object required

  .spec

  Spec holds the desired state of the VerificationPolicy.

• array required

  .spec .authorities

  Authorities defines the rules for validating signatures.

• object

  .spec .authorities[] .key

  Key contains the public key to validate the resource.

• string

  .spec .authorities[] .key .data

  Data contains the inline public key.

• string

  .spec .authorities[] .key .hashAlgorithm

  HashAlgorithm always defaults to sha256 if the algorithm hasn’t been explicitly set

• string

  .spec .authorities[] .key .kms

  KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. One example of a KMS url could be: gcpkms://projects/[PROJECT]/locations/[LOCATION]>/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[KEY_VERSION] For more examples please refer https://docs.sigstore.dev/cosign/kms_support. Note that the KMS is not supported yet.

• object

  .spec .authorities[] .key .secretRef

  SecretRef sets a reference to a secret with the key.

• string

  .spec .authorities[] .key .secretRef .name

  name is unique within a namespace to reference a secret resource.

• string

  .spec .authorities[] .key .secretRef .namespace

  namespace defines the space within which the secret name must be unique.

• string required

  .spec .authorities[] .name

  Name is the name for this authority.

• string

  .spec .mode

  Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings enforce - fail the taskrun/pipelinerun if verification fails (default) warn - don’t fail the taskrun/pipelinerun if verification fails but log warnings

• array required

  .spec .resources

  Resources defines the patterns of resources sources that should be subject to this policy. For example, we may want to apply this Policy from a certain GitHub repo. Then the ResourcesPattern should be valid regex. E.g. If using gitresolver, and we want to config keys from a certain git repo. ResourcesPattern can be https://github.com/tektoncd/catalog.git, we will use regex to filter out those resources.

• string required

  .spec .resources[] .pattern

  Pattern defines a resource pattern. Regex is created to filter resources based on Pattern Example patterns: GitHub resource: https://github.com/tektoncd/catalog.git, https://github.com/tektoncd/* Bundle resource: gcr.io/tekton-releases/catalog/upstream/git-clone, gcr.io/tekton-releases/catalog/upstream/* Hub resource: https://artifacthub.io/*,