Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@ toc_hide=true
description="Settings for configuring image verifier plugins (`settings.image-verifier-plugins.*`)"
+++

**Note:** These settings are only available on aws-ecs-3 variants.
**Note:** These settings are only available on aws-ecs-3 variants and aws-k8s-1.33+ variants.

{{< settings >}}
92 changes: 92 additions & 0 deletions data/settings/1.60.x/image-verifier-plugins.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
[[docs.ref.enabled]]
description = """
Controls whether image verifier plugins are enabled.
When enabled, container images will be verified using the configured plugins before being allowed to run.
"""
default = "`false`"
accepted_values = [
"`true`",
"`false`"
]

[[docs.ref.enabled.example]]
value = "true"
comment = "Enable image verifier plugins"

[[docs.ref.notation]]
description = """
Configuration for Notation-based image verification.
"""

[[docs.ref.notation-trustpolicy]]
name_override = "notation.trustpolicy"
description = """
Base64 encoded trustpolicy.json file for Notation verification.
The trust policy defines which identities are trusted to sign container images and the verification requirements.
"""
accepted_values = [
"Base64 encoded JSON string"
]
see = [
["[Notation Trust Policy Specification](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy)"]
]

[[docs.ref.notation-trustpolicy.example]]
value = "\"ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9\""
comment = "Base64 encoded empty trust policy"

[[docs.ref.digestion]]
description = """
Configuration for digest-based image verification.
"""

[[docs.ref.digestion-trustpolicy]]
name_override = "digestion.trustpolicy"
description = """
Base64 encoded trust policy for digest verification.
The trust policy defines the verification requirements for digest-based image verification.
The decoded JSON has the format:
```json
{
"version": "1.0",
"trustedDigests": [
"sha256:...",
"sha256:...",
...
]
}
```
"""
accepted_values = [
"Base64 encoded JSON string"
]

[[docs.ref.digestion-trustpolicy.example]]
value = "\"eyJ2ZXJzaW9uIjogIjEuMCIsICJ0cnVzdGVkRGlnZXN0cyI6IFsic2hhMjU2OmFiYzEyMy4uLiJdfQ==\""
comment = "Base64 encoded digestion trust policy"

[[docs.ref.custom-verifier]]
name_override = "<custom-verifier>"
description = """
Configuration for custom verifier plugins.
A bootstrap container with a custom image can be used to install a custom verifier binary to the host at boot.
Custom verifier binaries must be installed to `/opt/civ/bin` and configuration files for a custom verifier can be provided at `/var/lib`.
"""
see = [
["[Bootstrap Containers](../../concepts/bootstrap-containers/)"],
["[containerd Image Verification](https://github.com/containerd/containerd/blob/main/docs/image-verification.md)"]
]

[[docs.ref.custom-verifier-trustpolicy]]
name_override = "<custom-verifier>.trustpolicy"
description = """
Base64 encoded trust policy for custom verifier plugins.
The trust policy defines the verification requirements for the custom verifier.
"""
accepted_values = [
"Base64 encoded JSON string"
]

[[docs.ref.custom-verifier-trustpolicy.example]]
value = "\"eyJjdXN0b21Db25maWciOiAidmFsdWUifQ==\""
comment = "Base64 encoded custom configuration"