mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2026-04-12 01:01:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
talos/api/resource/definitions/security/security.proto
Laura Brehm 7f2eb48561
feat: add image verification endpoint 
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.

Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.

Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2026-03-06 20:06:07 +04:00

37 lines
1.0 KiB
Protocol Buffer
Executable File
Raw Blame History

syntax = "proto3";
package talos.resource.definitions.security;
option go_package = "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/security";
option java_package = "dev.talos.api.resource.definitions.security";
import "google/protobuf/timestamp.proto";
// ImageKeylessVerifierSpec represents a signature verification provider.
message ImageKeylessVerifierSpec {
string issuer = 1;
string subject = 2;
string subject_regex = 3;
}
// ImagePublicKeyVerifierSpec represents a signature verification provider with static public key.
message ImagePublicKeyVerifierSpec {
string certificate = 1;
}
// ImageVerificationRuleSpec represents a verification rule.
message ImageVerificationRuleSpec {
string image_pattern = 2;
bool skip = 3;
bool deny = 4;
ImageKeylessVerifierSpec keyless_verifier = 5;
ImagePublicKeyVerifierSpec public_key_verifier = 6;
}
// TUFTrustedRootSpec represents a sigstore's TUF trusted root information.
message TUFTrustedRootSpec {
google.protobuf.Timestamp last_refresh_time = 1;
string json_data = 2;
}
Reference in New Issue View Git Blame Copy Permalink