Skip to main content
apiVersion: v1alpha1
kind: ImageVerificationConfig
# List of verification rules.
rules:
    - image: registry.k8s.io/* # Image reference pattern to match for this rule.
      # Keyless verifier configuration to use for this rule.
      keyless:
        issuer: https://accounts.google.com # OIDC issuer URL for keyless verification.
        subject: krel-trust@k8s-releng-prod.iam.gserviceaccount.com # Expected subject for keyless verification.

        # # Regex pattern for subject matching.
        # subjectRegex: .*@example\.com
    - image: my-registry/* # Image reference pattern to match for this rule.
      # Public key verifier configuration to use for this rule.
      publicKey:
        certificate: |- # A public certificate in PEM format accepted for image signature verification.
            -----BEGIN CERTIFICATE-----
            MII--Sample Value--
            -----END CERTIFICATE-----
    - image: locahost:3000/* # Image reference pattern to match for this rule.
      deny: true # Deny pulling images matching the pattern (default: false).
FieldTypeDescriptionValue(s)
rulesImageVerificationRuleV1Alpha1List of verification rules.
Rules are evaluated in order; first matching rule applies.

rules[]

ImageVerificationRuleV1Alpha1 defines a verification rule.
FieldTypeDescriptionValue(s)
imagestringImage reference pattern to match for this rule.
Supports glob patterns.
skipboolSkip verification for this image pattern (default: false).
denyboolDeny pulling images matching the pattern (default: false).
keylessImageKeylessVerifierV1Alpha1Keyless verifier configuration to use for this rule.
publicKeyImagePublicKeyVerifierV1Alpha1Public key verifier configuration to use for this rule.

keyless

ImageKeylessVerifierV1Alpha1 configures a signature verification provider using Cosign keyless verification.
FieldTypeDescriptionValue(s)
issuerstringOIDC issuer URL for keyless verification.
subjectstringExpected subject for keyless verification.

This is the identity (email, URI) that signed the image.
subjectRegexstringRegex pattern for subject matching.

Use this instead of subject for flexible matching.

publicKey

ImagePublicKeyVerifierV1Alpha1 configures a signature verification provider using a static public key.
FieldTypeDescriptionValue(s)
certificatestringA public certificate in PEM format accepted for image signature verification.