image-verifier-plugins
settings.image-verifier-plugins.*)Note: These settings are only available on aws-ecs-3 variants and aws-k8s-1.33+ variants.
Setting list for settings.image-verifier-plugins
settings.image-verifier-plugins.<custom-verifier>settings.image-verifier-plugins.<custom-verifier>.trustpolicysettings.image-verifier-plugins.digestionsettings.image-verifier-plugins.digestion.trustpolicysettings.image-verifier-plugins.enabledsettings.image-verifier-plugins.notationsettings.image-verifier-plugins.notation.trustpolicy
Full Reference
settings.image-verifier-plugins.<custom-verifier>
Configuration for custom verifier plugins.
A bootstrap container with a custom image can be used to install a custom verifier binary to the host at boot.
Custom verifier binaries must be installed to /opt/civ/bin and configuration files for a custom verifier can be provided at /var/lib.
settings.image-verifier-plugins.<custom-verifier>.trustpolicy
Base64 encoded trust policy for custom verifier plugins. The trust policy defines the verification requirements for the custom verifier.
Accepted values:- Base64 encoded JSON string
# Base64 encoded custom configuration
[settings.image-verifier-plugins]
custom-verifier-trustpolicy = "eyJjdXN0b21Db25maWciOiAidmFsdWUifQ=="apiclient set settings.image-verifier-plugins.<custom-verifier>.trustpolicy="eyJjdXN0b21Db25maWciOiAidmFsdWUifQ=="settings.image-verifier-plugins.digestion
Configuration for digest-based image verification.
settings.image-verifier-plugins.digestion.trustpolicy
Base64 encoded trust policy for digest verification. The trust policy defines the verification requirements for digest-based image verification. The decoded JSON has the format:
{
"version": "1.0",
"trustedDigests": [
"sha256:...",
"sha256:...",
...
]
}
- Base64 encoded JSON string
# Base64 encoded digestion trust policy
[settings.image-verifier-plugins]
digestion-trustpolicy = "eyJ2ZXJzaW9uIjogIjEuMCIsICJ0cnVzdGVkRGlnZXN0cyI6IFsic2hhMjU2OmFiYzEyMy4uLiJdfQ=="apiclient set settings.image-verifier-plugins.digestion.trustpolicy="eyJ2ZXJzaW9uIjogIjEuMCIsICJ0cnVzdGVkRGlnZXN0cyI6IFsic2hhMjU2OmFiYzEyMy4uLiJdfQ=="settings.image-verifier-plugins.enabled
Controls whether image verifier plugins are enabled. When enabled, container images will be verified using the configured plugins before being allowed to run.
Default: false
truefalse
# Enable image verifier plugins
[settings.image-verifier-plugins]
enabled = trueapiclient set settings.image-verifier-plugins.enabled=truesettings.image-verifier-plugins.notation
Configuration for Notation-based image verification.
settings.image-verifier-plugins.notation.trustpolicy
Base64 encoded trustpolicy.json file for Notation verification. The trust policy defines which identities are trusted to sign container images and the verification requirements.
Accepted values:- Base64 encoded JSON string
# Base64 encoded empty trust policy
[settings.image-verifier-plugins]
notation-trustpolicy = "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"apiclient set settings.image-verifier-plugins.notation.trustpolicy="ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"