fix: update helm chart kyverno to 2.6.3 #2676
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![bloopy-boi[bot]](https://avatars.githubusercontent.com/in/166688?s=60&v=4){kind=small}
Signed-off-by: Zee Aslam <[email protected]>
bloopy-boi
bot
added
renovate/helm
type/patch
size/XS
|
Path: @@ -132,6 +132,10 @@
name: Hash
priority: 1
type: string
+ - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
+ name: AGGREGATE
+ priority: 1
+ type: string
name: v1alpha2
schema:
openAPIV3Schema:
@@ -624,6 +628,10 @@
name: Hash
priority: 1
type: string
+ - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
+ name: AGGREGATE
+ priority: 1
+ type: string
name: v1alpha2
schema:
openAPIV3Schema:
@@ -2627,6 +2635,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -4364,6 +4461,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -6042,6 +6228,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -7764,6 +8039,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -10051,6 +10415,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -11788,6 +12241,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -13466,6 +14008,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -15188,6 +15819,95 @@
items:
description: Attestation are checks for signed in-toto Statements that are used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statements.
properties:
+ attestors:
+ description: Attestors specify the required attestors (i.e. authorities)
+ items:
+ properties:
+ count:
+ description: Count specifies the required number of entries that must match. If the count is null, all entries must match (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+ minimum: 1
+ type: integer
+ entries:
+ description: Entries contains the available attestors. An attestor can be a static key, attributes for keyless verification, or a nested attestor declaration.
+ items:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
+ type: object
+ attestor:
+ description: Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+ x-kubernetes-preserve-unknown-fields: true
+ certificates:
+ description: Certificates specifies one or more certificates
+ properties:
+ cert:
+ description: Certificate is an optional PEM encoded public certificate.
+ type: string
+ certChain:
+ description: CertificateChain is an optional PEM encoded set of certificates used to verify
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ keyless:
+ description: Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+ properties:
+ additionalExtensions:
+ additionalProperties:
+ type: string
+ description: AdditionalExtensions are certificate-extensions used for keyless signing.
+ type: object
+ issuer:
+ description: Issuer is the certificate issuer used for keyless signing.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked and a root certificate chain is expected instead. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ roots:
+ description: Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.
+ type: string
+ subject:
+ description: Subject is the verified identity used for keyless signing, for example the email address
+ type: string
+ type: object
+ keys:
+ description: Keys specifies one or more public keys
+ properties:
+ publicKeys:
+ description: Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly specified or can be a variable reference to a key specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+ type: string
+ rekor:
+ description: Rekor provides configuration for the Rekor transparency log service. If the value is nil, Rekor is not checked. If an empty object is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+ properties:
+ url:
+ description: URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
+ type: string
+ required:
+ - url
+ type: object
+ type: object
+ repository:
+ description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: array
conditions:
description: Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.
items:
@@ -16575,7 +17295,7 @@
dnsPolicy: ClusterFirst
initContainers:
- name: kyverno-pre
- image: "ghcr.io/kyverno/kyvernopre:v1.8.2"
+ image: "ghcr.io/kyverno/kyvernopre:v1.8.3"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
@@ -16611,7 +17331,7 @@
value: kyverno
containers:
- name: kyverno
- image: "ghcr.io/kyverno/kyverno:v1.8.2"
+ image: "ghcr.io/kyverno/kyverno:v1.8.3"
imagePullPolicy: IfNotPresent
args:
- --autogenInternals=false |
🦙 MegaLinter status: ✅ SUCCESS
See errors details in artifact MegaLinter reports on CI Job page MegaLinter is graciously provided by |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.6.2->2.6.3⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.