|
|
ae5259 |
% CONTAINERS-POLICY.JSON 5 policy.json Man Page
|
|
|
bce470 |
% Miloslav Trmač
|
|
|
bce470 |
% September 2016
|
|
|
bce470 |
|
|
|
bce470 |
# NAME
|
|
|
bce470 |
containers-policy.json - syntax for the signature verification policy file
|
|
|
bce470 |
|
|
|
bce470 |
## DESCRIPTION
|
|
|
bce470 |
|
|
|
bce470 |
Signature verification policy files are used to specify policy, e.g. trusted keys,
|
|
|
bce470 |
applicable when deciding whether to accept an image, or individual signatures of that image, as valid.
|
|
|
bce470 |
|
|
|
bce470 |
By default, the policy is read from `$HOME/.config/containers/policy.json`, if it exists, otherwise from `/etc/containers/policy.json`; applications performing verification may allow using a different policy instead.
|
|
|
bce470 |
|
|
|
bce470 |
## FORMAT
|
|
|
bce470 |
|
|
|
bce470 |
The signature verification policy file, usually called `policy.json`,
|
|
|
bce470 |
uses a JSON format. Unlike some other JSON files, its parsing is fairly strict:
|
|
|
bce470 |
unrecognized, duplicated or otherwise invalid fields cause the entire file,
|
|
|
bce470 |
and usually the entire operation, to be rejected.
|
|
|
bce470 |
|
|
|
bce470 |
The purpose of the policy file is to define a set of *policy requirements* for a container image,
|
|
|
bce470 |
usually depending on its location (where it is being pulled from) or otherwise defined identity.
|
|
|
bce470 |
|
|
|
bce470 |
Policy requirements can be defined for:
|
|
|
bce470 |
|
|
|
bce470 |
- An individual *scope* in a *transport*.
|
|
|
bce470 |
The *transport* values are the same as the transport prefixes when pushing/pulling images (e.g. `docker:`, `atomic:`),
|
|
|
bce470 |
and *scope* values are defined by each transport; see below for more details.
|
|
|
bce470 |
|
|
|
bce470 |
Usually, a scope can be defined to match a single image, and various prefixes of
|
|
|
bce470 |
such a most specific scope define namespaces of matching images.
|
|
|
bce470 |
- A default policy for a single transport, expressed using an empty string as a scope
|
|
|
bce470 |
- A global default policy.
|
|
|
bce470 |
|
|
|
bce470 |
If multiple policy requirements match a given image, only the requirements from the most specific match apply,
|
|
|
bce470 |
the more general policy requirements definitions are ignored.
|
|
|
bce470 |
|
|
|
bce470 |
This is expressed in JSON using the top-level syntax
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"default": [/* policy requirements: global default */]
|
|
|
bce470 |
"transports": {
|
|
|
bce470 |
transport_name: {
|
|
|
bce470 |
"": [/* policy requirements: default for transport $transport_name */],
|
|
|
bce470 |
scope_1: [/* policy requirements: default for $scope_1 in $transport_name */],
|
|
|
bce470 |
scope_2: [/*…*/]
|
|
|
bce470 |
/*…*/
|
|
|
bce470 |
},
|
|
|
bce470 |
transport_name_2: {/*…*/}
|
|
|
bce470 |
/*…*/
|
|
|
bce470 |
}
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
The global `default` set of policy requirements is mandatory; all of the other fields
|
|
|
bce470 |
(`transports` itself, any specific transport, the transport-specific default, etc.) are optional.
|
|
|
bce470 |
|
|
|
bce470 |
|
|
|
bce470 |
## Supported transports and their scopes
|
|
|
bce470 |
|
|
|
bce470 |
### `atomic:`
|
|
|
bce470 |
|
|
|
bce470 |
The `atomic:` transport refers to images in an Atomic Registry.
|
|
|
bce470 |
|
|
|
bce470 |
Supported scopes use the form _hostname_[`:`_port_][`/`_namespace_[`/`_imagestream_ [`:`_tag_]]],
|
|
|
bce470 |
i.e. either specifying a complete name of a tagged image, or prefix denoting
|
|
|
bce470 |
a host/namespace/image stream or a wildcarded expression for matching all
|
|
|
bce470 |
subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
|
|
|
bce470 |
|
|
|
bce470 |
*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
|
|
|
bce470 |
e.g. for `docker pull`), _not_ to the OpenShift API host and port.
|
|
|
bce470 |
|
|
|
bce470 |
### `dir:`
|
|
|
bce470 |
|
|
|
bce470 |
The `dir:` transport refers to images stored in local directories.
|
|
|
bce470 |
|
|
|
bce470 |
Supported scopes are paths of directories (either containing a single image or
|
|
|
bce470 |
subdirectories possibly containing images).
|
|
|
bce470 |
|
|
|
bce470 |
*Note:* The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
|
|
|
bce470 |
|
|
|
bce470 |
The top-level scope `"/"` is forbidden; use the transport default scope `""`,
|
|
|
bce470 |
for consistency with other transports.
|
|
|
bce470 |
|
|
|
bce470 |
### `docker:`
|
|
|
bce470 |
|
|
|
bce470 |
The `docker:` transport refers to images in a registry implementing the "Docker Registry HTTP API V2".
|
|
|
bce470 |
|
|
|
bce470 |
Scopes matching individual images are named Docker references *in the fully expanded form*, either
|
|
|
bce470 |
using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
|
|
|
bce470 |
|
|
|
bce470 |
More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
|
|
|
bce470 |
a repository namespace, or a registry host (by only specifying the host name)
|
|
|
bce470 |
or a wildcarded expression for matching all subdomains. For wildcarded subdomain
|
|
|
bce470 |
matching, `*.example.com` is a valid case, but `example*.*.com` is not.
|
|
|
bce470 |
|
|
|
bce470 |
### `oci:`
|
|
|
bce470 |
|
|
|
bce470 |
The `oci:` transport refers to images in directories compliant with "Open Container Image Layout Specification".
|
|
|
bce470 |
|
|
|
bce470 |
Supported scopes use the form _directory_`:`_tag_, and _directory_ referring to
|
|
|
bce470 |
a directory containing one or more tags, or any of the parent directories.
|
|
|
bce470 |
|
|
|
bce470 |
*Note:* See `dir:` above for semantics and restrictions on the directory paths, they apply to `oci:` equivalently.
|
|
|
bce470 |
|
|
|
bce470 |
### `tarball:`
|
|
|
bce470 |
|
|
|
bce470 |
The `tarball:` transport refers to tarred up container root filesystems.
|
|
|
bce470 |
|
|
|
bce470 |
Scopes are ignored.
|
|
|
bce470 |
|
|
|
bce470 |
## Policy Requirements
|
|
|
bce470 |
|
|
|
bce470 |
Using the mechanisms above, a set of policy requirements is looked up. The policy requirements
|
|
|
bce470 |
are represented as a JSON array of individual requirement objects. For an image to be accepted,
|
|
|
bce470 |
*all* of the requirements must be satisfied simultaneously.
|
|
|
bce470 |
|
|
|
bce470 |
The policy requirements can also be used to decide whether an individual signature is accepted (= is signed by a recognized key of a known author);
|
|
|
bce470 |
in that case some requirements may apply only to some signatures, but each signature must be accepted by *at least one* requirement object.
|
|
|
bce470 |
|
|
|
bce470 |
The following requirement objects are supported:
|
|
|
bce470 |
|
|
|
bce470 |
### `insecureAcceptAnything`
|
|
|
bce470 |
|
|
|
bce470 |
A simple requirement with the following syntax
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{"type":"insecureAcceptAnything"}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
This requirement accepts any image (but note that other requirements in the array still apply).
|
|
|
bce470 |
|
|
|
bce470 |
When deciding to accept an individual signature, this requirement does not have any effect; it does *not* cause the signature to be accepted, though.
|
|
|
bce470 |
|
|
|
bce470 |
This is useful primarily for policy scopes where no signature verification is required;
|
|
|
bce470 |
because the array of policy requirements must not be empty, this requirement is used
|
|
|
bce470 |
to represent the lack of requirements explicitly.
|
|
|
bce470 |
|
|
|
bce470 |
### `reject`
|
|
|
bce470 |
|
|
|
bce470 |
A simple requirement with the following syntax:
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{"type":"reject"}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
This requirement rejects every image, and every signature.
|
|
|
bce470 |
|
|
|
bce470 |
### `signedBy`
|
|
|
bce470 |
|
|
|
38a67a |
This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key.
|
|
|
bce470 |
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"type": "signedBy",
|
|
|
bce470 |
"keyType": "GPGKeys", /* The only currently supported value */
|
|
|
bce470 |
"keyPath": "/path/to/local/keyring/file",
|
|
|
38a67a |
"keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…],
|
|
|
bce470 |
"keyData": "base64-encoded-keyring-data",
|
|
|
bce470 |
"signedIdentity": identity_requirement
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
|
|
|
38a67a |
Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys. Only signatures made by these keys are accepted.
|
|
|
bce470 |
|
|
|
bce470 |
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
|
|
|
bce470 |
One of the following alternatives are supported:
|
|
|
bce470 |
|
|
|
bce470 |
- The identity in the signature must exactly match the image identity. Note that with this, referencing an image by digest (with a signature claiming a _repository_`:`_tag_ identity) will fail.
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{"type":"matchExact"}
|
|
|
bce470 |
```
|
|
|
bce470 |
- If the image identity carries a tag, the identity in the signature must exactly match;
|
|
|
bce470 |
if the image identity uses a digest reference, the identity in the signature must be in the same repository as the image identity (using any tag).
|
|
|
bce470 |
|
|
|
bce470 |
(Note that with images identified using digest references, the digest from the reference is validated even before signature verification starts.)
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{"type":"matchRepoDigestOrExact"}
|
|
|
bce470 |
```
|
|
|
bce470 |
- The identity in the signature must be in the same repository as the image identity. This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version.
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{"type":"matchRepository"}
|
|
|
bce470 |
```
|
|
|
bce470 |
- The identity in the signature must exactly match a specified identity.
|
|
|
bce470 |
This is useful e.g. when locally mirroring images signed using their public identity.
|
|
|
bce470 |
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"type": "exactReference",
|
|
|
bce470 |
"dockerReference": docker_reference_value
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
- The identity in the signature must be in the same repository as a specified identity.
|
|
|
bce470 |
This combines the properties of `matchRepository` and `exactReference`.
|
|
|
bce470 |
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"type": "exactRepository",
|
|
|
bce470 |
"dockerRepository": docker_repository_value
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
- Prefix remapping:
|
|
|
bce470 |
|
|
|
bce470 |
If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix”
|
|
|
bce470 |
(otherwise it is used as unchanged and no remapping takes place);
|
|
|
bce470 |
matching then follows the `matchRepoDigestOrExact` semantics documented above
|
|
|
bce470 |
(i.e. if the image identity carries a tag, the identity in the signature must exactly match,
|
|
|
bce470 |
if it uses a digest reference, the repository must match).
|
|
|
bce470 |
|
|
|
bce470 |
The `prefix` and `signedPrefix` values can be either host[:port] values
|
|
|
bce470 |
(matching exactly the same host[:port], string),
|
|
|
bce470 |
repository namespaces, or repositories (i.e. they must not contain tags/digests),
|
|
|
bce470 |
and match as prefixes *of the fully expanded form*.
|
|
|
bce470 |
For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository,
|
|
|
bce470 |
or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`).
|
|
|
bce470 |
|
|
|
bce470 |
The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement.
|
|
|
bce470 |
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"type": "remapIdentity",
|
|
|
bce470 |
"prefix": prefix,
|
|
|
bce470 |
"signedPrefix": prefix,
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`.
|
|
|
bce470 |
|
|
|
bce470 |
*Note*: `matchExact`, `matchRepoDigestOrExact` and `matchRepository` can be only used if a Docker-like image identity is
|
|
|
bce470 |
provided by the transport. In particular, the `dir:` and `oci:` transports can be only
|
|
|
bce470 |
used with `exactReference` or `exactRepository`.
|
|
|
bce470 |
|
|
|
bce470 |
|
|
|
bce470 |
|
|
|
38a67a |
|
|
|
38a67a |
### `sigstoreSigned`
|
|
|
38a67a |
|
|
|
38a67a |
This requirement requires an image to be signed using a sigstore signature with an expected identity and key.
|
|
|
38a67a |
|
|
|
38a67a |
```js
|
|
|
38a67a |
{
|
|
|
38a67a |
"type": "sigstoreSigned",
|
|
|
38a67a |
"keyPath": "/path/to/local/keyring/file",
|
|
|
38a67a |
"keyData": "base64-encoded-keyring-data",
|
|
|
38a67a |
"signedIdentity": identity_requirement
|
|
|
38a67a |
}
|
|
|
38a67a |
```
|
|
|
38a67a |
Exactly one of `keyPath` and `keyData` must be present, containing a sigstore public key. Only signatures made by this key is accepted.
|
|
|
38a67a |
|
|
|
38a67a |
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
|
|
|
38a67a |
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
|
|
|
38a67a |
|
|
|
38a67a |
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
|
|
|
38a67a |
|
|
|
bce470 |
## Examples
|
|
|
bce470 |
|
|
|
bce470 |
It is *strongly* recommended to set the `default` policy to `reject`, and then
|
|
|
bce470 |
selectively allow individual transports and scopes as desired.
|
|
|
bce470 |
|
|
|
bce470 |
### A reasonably locked-down system
|
|
|
bce470 |
|
|
|
bce470 |
(Note that the `/*`…`*/` comments are not valid in JSON, and must not be used in real policies.)
|
|
|
bce470 |
|
|
|
bce470 |
```js
|
|
|
bce470 |
{
|
|
|
bce470 |
"default": [{"type": "reject"}], /* Reject anything not explicitly allowed */
|
|
|
bce470 |
"transports": {
|
|
|
bce470 |
"docker": {
|
|
|
bce470 |
/* Allow installing images from a specific repository namespace, without cryptographic verification.
|
|
|
bce470 |
This namespace includes images like openshift/hello-openshift and openshift/origin. */
|
|
|
bce470 |
"docker.io/openshift": [{"type": "insecureAcceptAnything"}],
|
|
|
bce470 |
/* Similarly, allow installing the “official” busybox images. Note how the fully expanded
|
|
|
bce470 |
form, with the explicit /library/, must be used. */
|
|
|
38a67a |
"docker.io/library/busybox": [{"type": "insecureAcceptAnything"}],
|
|
|
bce470 |
/* Allow installing images from all subdomains */
|
|
|
38a67a |
"*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}],
|
|
|
38a67a |
/* A sigstore-signed repository */
|
|
|
38a67a |
"hostname:5000/myns/sigstore-signed-with-full-references": [
|
|
|
38a67a |
{
|
|
|
38a67a |
"type": "sigstoreSigned",
|
|
|
38a67a |
"keyPath": "/path/to/sigstore-pubkey.pub"
|
|
|
38a67a |
}
|
|
|
38a67a |
],
|
|
|
38a67a |
/* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
|
|
|
38a67a |
"hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
|
|
|
38a67a |
{
|
|
|
38a67a |
"type": "sigstoreSigned",
|
|
|
38a67a |
"keyPath": "/path/to/sigstore-pubkey.pub",
|
|
|
38a67a |
"signedIdentity": {"type": "matchRepository"}
|
|
|
38a67a |
}
|
|
|
38a67a |
]
|
|
|
bce470 |
/* Other docker: images use the global default policy and are rejected */
|
|
|
bce470 |
},
|
|
|
bce470 |
"dir": {
|
|
|
bce470 |
"": [{"type": "insecureAcceptAnything"}] /* Allow any images originating in local directories */
|
|
|
bce470 |
},
|
|
|
bce470 |
"atomic": {
|
|
|
bce470 |
/* The common case: using a known key for a repository or set of repositories */
|
|
|
bce470 |
"hostname:5000/myns/official": [
|
|
|
bce470 |
{
|
|
|
bce470 |
"type": "signedBy",
|
|
|
bce470 |
"keyType": "GPGKeys",
|
|
|
bce470 |
"keyPath": "/path/to/official-pubkey.gpg"
|
|
|
bce470 |
}
|
|
|
bce470 |
],
|
|
|
bce470 |
/* A more complex example, for a repository which contains a mirror of a third-party product,
|
|
|
bce470 |
which must be signed-off by local IT */
|
|
|
bce470 |
"hostname:5000/vendor/product": [
|
|
|
bce470 |
{ /* Require the image to be signed by the original vendor, using the vendor's repository location. */
|
|
|
bce470 |
"type": "signedBy",
|
|
|
bce470 |
"keyType": "GPGKeys",
|
|
|
bce470 |
"keyPath": "/path/to/vendor-pubkey.gpg",
|
|
|
bce470 |
"signedIdentity": {
|
|
|
bce470 |
"type": "exactRepository",
|
|
|
bce470 |
"dockerRepository": "vendor-hostname/product/repository"
|
|
|
bce470 |
}
|
|
|
bce470 |
},
|
|
|
bce470 |
{ /* Require the image to _also_ be signed by a local reviewer. */
|
|
|
bce470 |
"type": "signedBy",
|
|
|
bce470 |
"keyType": "GPGKeys",
|
|
|
bce470 |
"keyPath": "/path/to/reviewer-pubkey.gpg"
|
|
|
bce470 |
}
|
|
|
bce470 |
],
|
|
|
bce470 |
/* A way to mirror many repositories from a single vendor */
|
|
|
bce470 |
"private-mirror:5000/vendor-mirror": [
|
|
|
bce470 |
{ /* Require the image to be signed by the original vendor, using the vendor's repository location.
|
|
|
bce470 |
For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as
|
|
|
bce470 |
vendor.example/productA/image1:latest . */
|
|
|
bce470 |
"type": "signedBy",
|
|
|
bce470 |
"keyType": "GPGKeys",
|
|
|
bce470 |
"keyPath": "/path/to/vendor-pubkey.gpg",
|
|
|
bce470 |
"signedIdentity": {
|
|
|
bce470 |
"type": "remapIdentity",
|
|
|
bce470 |
"prefix": "private-mirror:5000/vendor-mirror",
|
|
|
38a67a |
"signedPrefix": "vendor.example.com"
|
|
|
bce470 |
}
|
|
|
bce470 |
}
|
|
|
bce470 |
]
|
|
|
bce470 |
}
|
|
|
bce470 |
}
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
### Completely disable security, allow all images, do not trust any signatures
|
|
|
bce470 |
|
|
|
bce470 |
```json
|
|
|
bce470 |
{
|
|
|
bce470 |
"default": [{"type": "insecureAcceptAnything"}]
|
|
|
bce470 |
}
|
|
|
bce470 |
```
|
|
|
bce470 |
## SEE ALSO
|
|
|
bce470 |
atomic(1)
|
|
|
bce470 |
|
|
|
bce470 |
## HISTORY
|
|
|
bce470 |
August 2018, Rename to containers-policy.json(5) by Valentin Rothberg <vrothberg@suse.com>
|
|
|
bce470 |
|
|
|
bce470 |
September 2016, Originally compiled by Miloslav Trmač <mitr@redhat.com>
|