1OC ADM(1) June 2016 OC ADM(1)
2
6 oc adm verify-image-signature - Verify the image identity contained in
7 the image signature
8
12 oc adm verify-image-signature [OPTIONS]
13
17 Verifies the image signature of an image imported to internal registry
18 using the local public GPG key.
19 This command verifies if the image identity contained in the image sig‐
22 nature can be trusted by using the public GPG key to verify the signa‐
23 ture itself and matching the provided expected identity with the iden‐
24 tity (pull spec) of the given image. By default, this command will use
25 the public GPG keyring located in "$GNUPGHOME/.gnupg/pubring.gpg"
26 By default, this command will not save the result of the verification
29 back to the image object, to do so user have to specify the "--save"
30 flag. Note that to modify the image signature verification status, user
31 have to have permissions to edit an image object (usually an
32 "image-auditor" role).
33 Note that using the "--save" flag on already verified image together
36 with invalid GPG key or invalid expected identity will cause the saved
37 verification status to be removed and the image will become "unveri‐
38 fied".
39 If this command is outside the cluster, users have to specify the
42 "--registry-url" parameter with the public URL of image registry.
43 To remove all verifications, users can use the "--remove-all" flag.
46
50 --expected-identity=""
51 An expected image docker reference to verify (required).
52 --insecure=false
55 If set, use the insecure protocol for registry communication.
56 --public-key="pubring.gpg"
59 A path to a public GPG key to be used for verification. (defaults
60 to "pubring.gpg")
61 --registry-url=""
64 The address to use when contacting the registry, instead of using
65 the internal cluster address. This is useful if you can't resolve or
66 reach the internal registry address.
67 --remove-all=false
70 If set, all signature verifications will be removed from the given
71 image.
72 --save=false
75 If true, the result of the verification will be saved to an image
76 object.
77
81 --allow_verification_with_non_compliant_keys=false
82 Allow a SignatureVerifier to use keys which are technically
83 non-compliant with RFC6962.
84 --alsologtostderr=false
87 log to standard error as well as files
88 --application_metrics_count_limit=100
91 Max number of application metrics to store (per container)
92 --as=""
95 Username to impersonate for the operation
96 --as-group=[]
99 Group to impersonate for the operation, this flag can be repeated
100 to specify multiple groups.
101 --azure-container-registry-config=""
104 Path to the file containing Azure container registry configuration
105 information.
106 --boot_id_file="/proc/sys/kernel/random/boot_id"
109 Comma-separated list of files to check for boot-id. Use the first
110 one that exists.
111 --cache-dir="/builddir/.kube/http-cache"
114 Default HTTP cache directory
115 --certificate-authority=""
118 Path to a cert file for the certificate authority
119 --client-certificate=""
122 Path to a client certificate file for TLS
123 --client-key=""
126 Path to a client key file for TLS
127 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
130 CIDRs opened in GCE firewall for LB traffic proxy health checks
131 --cluster=""
134 The name of the kubeconfig cluster to use
135 --container_hints="/etc/cadvisor/container_hints.json"
138 location of the container hints file
139 --containerd="unix:///var/run/containerd.sock"
142 containerd endpoint
143 --context=""
146 The name of the kubeconfig context to use
147 --default-not-ready-toleration-seconds=300
150 Indicates the tolerationSeconds of the toleration for
151 notReady:NoExecute that is added by default to every pod that does not
152 already have such a toleration.
153 --default-unreachable-toleration-seconds=300
156 Indicates the tolerationSeconds of the toleration for unreach‐
157 able:NoExecute that is added by default to every pod that does not
158 already have such a toleration.
159 --docker="unix:///var/run/docker.sock"
162 docker endpoint
163 --docker-tls=false
166 use TLS to connect to docker
167 --docker-tls-ca="ca.pem"
170 path to trusted CA
171 --docker-tls-cert="cert.pem"
174 path to client certificate
175 --docker-tls-key="key.pem"
178 path to private key
179 --docker_env_metadata_whitelist=""
182 a comma-separated list of environment variable keys that needs to
183 be collected for docker containers
184 --docker_only=false
187 Only report docker containers in addition to root stats
188 --docker_root="/var/lib/docker"
191 DEPRECATED: docker root is read from docker info (this is a fall‐
192 back, default: /var/lib/docker)
193 --enable_load_reader=false
196 Whether to enable cpu load reader
197 --event_storage_age_limit="default=24h"
200 Max length of time for which to store events (per type). Value is a
201 comma separated list of key values, where the keys are event types
202 (e.g.: creation, oom) or "default" and the value is a duration. Default
203 is applied to all non-specified event types
204 --event_storage_event_limit="default=100000"
207 Max number of events to store (per type). Value is a comma sepa‐
208 rated list of key values, where the keys are event types (e.g.: cre‐
209 ation, oom) or "default" and the value is an integer. Default is
210 applied to all non-specified event types
211 --global_housekeeping_interval=0
214 Interval between global housekeepings
215 --housekeeping_interval=0
218 Interval between container housekeepings
219 --httptest.serve=""
222 if non-empty, httptest.NewServer serves on this address and blocks
223 --insecure-skip-tls-verify=false
226 If true, the server's certificate will not be checked for validity.
227 This will make your HTTPS connections insecure
228 --kubeconfig=""
231 Path to the kubeconfig file to use for CLI requests.
232 --log-flush-frequency=0
235 Maximum number of seconds between log flushes
236 --log_backtrace_at=:0
239 when logging hits line file:N, emit a stack trace
240 --log_cadvisor_usage=false
243 Whether to log the usage of the cAdvisor container
244 --log_dir=""
247 If non-empty, write log files in this directory
248 --logtostderr=true
251 log to standard error instead of files
252 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
255 Comma-separated list of files to check for machine-id. Use the
256 first one that exists.
257 --match-server-version=false
260 Require server version to match client version
261 -n, --namespace=""
264 If present, the namespace scope for this CLI request
265 --request-timeout="0"
268 The length of time to wait before giving up on a single server
269 request. Non-zero values should contain a corresponding time unit (e.g.
270 1s, 2m, 3h). A value of zero means don't timeout requests.
271 -s, --server=""
274 The address and port of the Kubernetes API server
275 --stderrthreshold=2
278 logs at or above this threshold go to stderr
279 --storage_driver_buffer_duration=0
282 Writes in the storage driver will be buffered for this duration,
283 and committed to the non memory backends as a single transaction
284 --storage_driver_db="cadvisor"
287 database name
288 --storage_driver_host="localhost:8086"
291 database host:port
292 --storage_driver_password="root"
295 database password
296 --storage_driver_secure=false
299 use secure connection with database
300 --storage_driver_table="stats"
303 table name
304 --storage_driver_user="root"
307 database username
308 --token=""
311 Bearer token for authentication to the API server
312 --user=""
315 The name of the kubeconfig user to use
316 -v, --v=0
319 log level for V logs
320 --version=false
323 Print version information and quit
324 --vmodule=
327 comma-separated list of pattern=N settings for file-filtered log‐
328 ging
329
333 # Verify the image signature and identity using the local GPG keychain
334 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
335 --expected-identity=registry.local:5000/foo/bar:v1
336 # Verify the image signature and identity using the local GPG keychain and save the status
338 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
339 --expected-identity=registry.local:5000/foo/bar:v1 --save
340 # Verify the image signature and identity via exposed registry route
342 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
343 --expected-identity=registry.local:5000/foo/bar:v1 \
344 --registry-url=docker-registry.foo.com
345 # Remove all signature verifications from the image
347 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
348
353 oc-adm(1),
354
358 June 2016, Ported from the Kubernetes man-doc generator
359Openshift Openshift CLI User Manuals OC ADM(1)