> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

> ImageVerificationConfig configures image signature verification policy.

# ImageVerificationConfig

```yaml theme={null}
apiVersion: v1alpha1
kind: ImageVerificationConfig
# List of verification rules.
rules:
    - image: registry.k8s.io/* # Image reference pattern to match for this rule.
      # Keyless verifier configuration to use for this rule.
      keyless:
        issuer: https://accounts.google.com # OIDC issuer URL for keyless verification.
        subject: krel-trust@k8s-releng-prod.iam.gserviceaccount.com # Expected subject for keyless verification.

        # # Regex pattern for subject matching.
        # subjectRegex: .*@example\.com
    - image: my-registry/* # Image reference pattern to match for this rule.
      # Public key verifier configuration to use for this rule.
      publicKey:
        certificate: |- # A public certificate in PEM format accepted for image signature verification.
            -----BEGIN CERTIFICATE-----
            MII--Sample Value--
            -----END CERTIFICATE-----
    - image: locahost:3000/* # Image reference pattern to match for this rule.
      deny: true # Deny pulling images matching the pattern (default: false).
```

<table>
  <thead>
    <tr>
      <th>Field</th>
      <th>Type</th>
      <th>Description</th>
      <th>Value(s)</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>`rules`</td>
      <td><a href="#rules%5B%5D">ImageVerificationRuleV1Alpha1</a></td>
      <td>List of verification rules.<br />Rules are evaluated in order; first matching rule applies.</td>

      <td />
    </tr>
  </tbody>
</table>

## rules\[]

ImageVerificationRuleV1Alpha1 defines a verification rule.

<table>
  <thead>
    <tr>
      <th>Field</th>
      <th>Type</th>
      <th>Description</th>
      <th>Value(s)</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>`image`</td>
      <td>string</td>
      <td>Image reference pattern to match for this rule.<br />Supports glob patterns.</td>

      <td />
    </tr>

    <tr>
      <td>`skip`</td>
      <td>bool</td>
      <td>Skip verification for this image pattern (default: false).</td>

      <td />
    </tr>

    <tr>
      <td>`deny`</td>
      <td>bool</td>
      <td>Deny pulling images matching the pattern (default: false).</td>

      <td />
    </tr>

    <tr>
      <td>`keyless`</td>
      <td><a href="#keyless">ImageKeylessVerifierV1Alpha1</a></td>
      <td>Keyless verifier configuration to use for this rule.</td>

      <td />
    </tr>

    <tr>
      <td>`publicKey`</td>
      <td><a href="#publickey">ImagePublicKeyVerifierV1Alpha1</a></td>
      <td>Public key verifier configuration to use for this rule.</td>

      <td />
    </tr>
  </tbody>
</table>

### keyless

ImageKeylessVerifierV1Alpha1 configures a signature verification provider using Cosign keyless verification.

<table>
  <thead>
    <tr>
      <th>Field</th>
      <th>Type</th>
      <th>Description</th>
      <th>Value(s)</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>`issuer`</td>
      <td>string</td>
      <td>OIDC issuer URL for keyless verification.</td>

      <td />
    </tr>

    <tr>
      <td>`subject`</td>
      <td>string</td>
      <td>Expected subject for keyless verification.<br /><br />This is the identity (email, URI) that signed the image.</td>

      <td />
    </tr>

    <tr>
      <td>`subjectRegex`</td>
      <td>string</td>
      <td>Regex pattern for subject matching.<br /><br />Use this instead of subject for flexible matching.</td>

      <td />
    </tr>
  </tbody>
</table>

### publicKey

ImagePublicKeyVerifierV1Alpha1 configures a signature verification provider using a static public key.

<table>
  <thead>
    <tr>
      <th>Field</th>
      <th>Type</th>
      <th>Description</th>
      <th>Value(s)</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>`certificate`</td>
      <td>string</td>
      <td>A public certificate in PEM format accepted for image signature verification.</td>

      <td />
    </tr>
  </tbody>
</table>