ImageConfig
pkg.crossplane.io / v1beta1
apiVersion: pkg.crossplane.io/v1beta1
kind: ImageConfig
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
ImageConfigSpec contains the configuration for matching images.
matchImages []object required
MatchImages is a list of image matching rules. This ImageConfig will
match an image if any one of these rules is satisfied. In the case where
multiple ImageConfigs match an image for a given purpose the one with the
most specific match will be used. If multiple rules of equal specificity
match an arbitrary one will be selected.
prefix
string required
Prefix is the prefix that should be matched. When multiple prefix rules
match an image path, the longest one takes precedence.
type
string
Type is the type of match.
enum:
Prefixregistry object
Registry is the configuration for the registry.
authentication object
Authentication is the authentication information for the registry.
pullSecretRef object required
PullSecretRef is a reference to a secret that contains the credentials for
the registry.
name
string
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
rewriteImage object
RewriteImage defines how a matched image's path should be rewritten.
prefix
string required
Prefix is the prefix that will replace the portion of the image's path
matched by the prefix in the ImageMatch. If multiple prefixes matched,
the longest one will be replaced.
runtime object
Runtime allows configuration of runtime options for the image.
configRef object
ConfigReference references a RuntimeConfig resource that will be
used to configure the package runtime.
apiVersion
string
API version of the referent.
kind
string
Kind of the referent.
name
string required
Name of the RuntimeConfig.
verification object
Verification contains the configuration for verifying the image.
cosign object
Cosign is the configuration for verifying the image using cosign.
authorities []object required
Authorities defines the rules for discovering and validating signatures.
attestations []object
Attestations is a list of individual attestations for this authority,
once the signature for this authority has been verified.
name
string required
Name of the attestation.
predicateType
string required
PredicateType defines which predicate type to verify. Matches cosign
verify-attestation options.
key object
Key defines the type of key to validate the image.
hashAlgorithm
string required
HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
secretRef object required
SecretRef sets a reference to a secret with the key.
key
string required
The key to select.
name
string required
Name of the secret.
keyless object
Keyless sets the configuration to verify the authority against a Fulcio
instance.
identities []object required
Identities sets a list of identities.
issuer
string
Issuer defines the issuer for this identity.
issuerRegExp
string
IssuerRegExp specifies a regular expression to match the issuer for this identity.
This has precedence over the Issuer field.
subject
string
Subject defines the subject for this identity.
subjectRegExp
string
SubjectRegExp specifies a regular expression to match the subject for this identity.
This has precedence over the Subject field.
insecureIgnoreSCT
boolean
InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
name
string required
Name is the name for this authority.
provider
string required
Provider is the provider that should be used to verify the image.
enum:
CosignNo matches. Try .spec.matchImages for an exact path