1OC ADM(1) June 2016 OC ADM(1)
2
6 oc adm verify-image-signature - Verify the image identity contained in
7 the image signature
8
12 oc adm verify-image-signature [OPTIONS]
13
17 Verifies the image signature of an image imported to internal registry
18 using the local public GPG key.
19 This command verifies if the image identity contained in the image sig‐
22 nature can be trusted by using the public GPG key to verify the signa‐
23 ture itself and matching the provided expected identity with the iden‐
24 tity (pull spec) of the given image. By default, this command will use
25 the public GPG keyring located in "$GNUPGHOME/.gnupg/pubring.gpg"
26 By default, this command will not save the result of the verification
29 back to the image object, to do so user have to specify the "--save"
30 flag. Note that to modify the image signature verification status, user
31 have to have permissions to edit an image object (usually an
32 "image-auditor" role).
33 Note that using the "--save" flag on already verified image together
36 with invalid GPG key or invalid expected identity will cause the saved
37 verification status to be removed and the image will become "unveri‐
38 fied".
39 If this command is outside the cluster, users have to specify the
42 "--registry-url" parameter with the public URL of image registry.
43 To remove all verifications, users can use the "--remove-all" flag.
46
50 --expected-identity=""
51 An expected image docker reference to verify (required).
52 --insecure=false
55 If set, use the insecure protocol for registry communication.
56 --public-key="pubring.gpg"
59 A path to a public GPG key to be used for verification. (defaults
60 to "pubring.gpg")
61 --registry-url=""
64 The address to use when contacting the registry, instead of using
65 the internal cluster address. This is useful if you can't resolve or
66 reach the internal registry address.
67 --remove-all=false
70 If set, all signature verifications will be removed from the given
71 image.
72 --save=false
75 If true, the result of the verification will be saved to an image
76 object.
77
81 --allow_verification_with_non_compliant_keys=false
82 Allow a SignatureVerifier to use keys which are technically
83 non-compliant with RFC6962.
84 --alsologtostderr=false
87 log to standard error as well as files
88 --application_metrics_count_limit=100
91 Max number of application metrics to store (per container)
92 --as=""
95 Username to impersonate for the operation
96 --as-group=[]
99 Group to impersonate for the operation, this flag can be repeated
100 to specify multiple groups.
101 --azure-container-registry-config=""
104 Path to the file containing Azure container registry configuration
105 information.
106 --boot_id_file="/proc/sys/kernel/random/boot_id"
109 Comma-separated list of files to check for boot-id. Use the first
110 one that exists.
111 --cache-dir="/builddir/.kube/http-cache"
114 Default HTTP cache directory
115 --certificate-authority=""
118 Path to a cert file for the certificate authority
119 --client-certificate=""
122 Path to a client certificate file for TLS
123 --client-key=""
126 Path to a client key file for TLS
127 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
130 CIDRs opened in GCE firewall for LB traffic proxy health checks
131 --cluster=""
134 The name of the kubeconfig cluster to use
135 --container_hints="/etc/cadvisor/container_hints.json"
138 location of the container hints file
139 --containerd="unix:///var/run/containerd.sock"
142 containerd endpoint
143 --context=""
146 The name of the kubeconfig context to use
147 --default-not-ready-toleration-seconds=300
150 Indicates the tolerationSeconds of the toleration for
151 notReady:NoExecute that is added by default to every pod that does not
152 already have such a toleration.
153 --default-unreachable-toleration-seconds=300
156 Indicates the tolerationSeconds of the toleration for unreach‐
157 able:NoExecute that is added by default to every pod that does not
158 already have such a toleration.
159 --docker="unix:///var/run/docker.sock"
162 docker endpoint
163 --docker-tls=false
166 use TLS to connect to docker
167 --docker-tls-ca="ca.pem"
170 path to trusted CA
171 --docker-tls-cert="cert.pem"
174 path to client certificate
175 --docker-tls-key="key.pem"
178 path to private key
179 --docker_env_metadata_whitelist=""
182 a comma-separated list of environment variable keys that needs to
183 be collected for docker containers
184 --docker_only=false
187 Only report docker containers in addition to root stats
188 --docker_root="/var/lib/docker"
191 DEPRECATED: docker root is read from docker info (this is a fall‐
192 back, default: /var/lib/docker)
193 --enable_load_reader=false
196 Whether to enable cpu load reader
197 --event_storage_age_limit="default=24h"
200 Max length of time for which to store events (per type). Value is a
201 comma separated list of key values, where the keys are event types
202 (e.g.: creation, oom) or "default" and the value is a duration. Default
203 is applied to all non-specified event types
204 --event_storage_event_limit="default=100000"
207 Max number of events to store (per type). Value is a comma sepa‐
208 rated list of key values, where the keys are event types (e.g.: cre‐
209 ation, oom) or "default" and the value is an integer. Default is
210 applied to all non-specified event types
211 --global_housekeeping_interval=0
214 Interval between global housekeepings
215 --housekeeping_interval=0
218 Interval between container housekeepings
219 --insecure-skip-tls-verify=false
222 If true, the server's certificate will not be checked for validity.
223 This will make your HTTPS connections insecure
224 --kubeconfig=""
227 Path to the kubeconfig file to use for CLI requests.
228 --log-flush-frequency=0
231 Maximum number of seconds between log flushes
232 --log_backtrace_at=:0
235 when logging hits line file:N, emit a stack trace
236 --log_cadvisor_usage=false
239 Whether to log the usage of the cAdvisor container
240 --log_dir=""
243 If non-empty, write log files in this directory
244 --logtostderr=true
247 log to standard error instead of files
248 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
251 Comma-separated list of files to check for machine-id. Use the
252 first one that exists.
253 --match-server-version=false
256 Require server version to match client version
257 -n, --namespace=""
260 If present, the namespace scope for this CLI request
261 --request-timeout="0"
264 The length of time to wait before giving up on a single server
265 request. Non-zero values should contain a corresponding time unit (e.g.
266 1s, 2m, 3h). A value of zero means don't timeout requests.
267 -s, --server=""
270 The address and port of the Kubernetes API server
271 --stderrthreshold=2
274 logs at or above this threshold go to stderr
275 --storage_driver_buffer_duration=0
278 Writes in the storage driver will be buffered for this duration,
279 and committed to the non memory backends as a single transaction
280 --storage_driver_db="cadvisor"
283 database name
284 --storage_driver_host="localhost:8086"
287 database host:port
288 --storage_driver_password="root"
291 database password
292 --storage_driver_secure=false
295 use secure connection with database
296 --storage_driver_table="stats"
299 table name
300 --storage_driver_user="root"
303 database username
304 --token=""
307 Bearer token for authentication to the API server
308 --user=""
311 The name of the kubeconfig user to use
312 -v, --v=0
315 log level for V logs
316 --version=false
319 Print version information and quit
320 --vmodule=
323 comma-separated list of pattern=N settings for file-filtered log‐
324 ging
325
329 # Verify the image signature and identity using the local GPG keychain
330 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
331 --expected-identity=registry.local:5000/foo/bar:v1
332 # Verify the image signature and identity using the local GPG keychain and save the status
334 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
335 --expected-identity=registry.local:5000/foo/bar:v1 --save
336 # Verify the image signature and identity via exposed registry route
338 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
339 --expected-identity=registry.local:5000/foo/bar:v1 \
340 --registry-url=docker-registry.foo.com
341 # Remove all signature verifications from the image
343 oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
344
349 oc-adm(1),
350
354 June 2016, Ported from the Kubernetes man-doc generator
355Openshift Openshift CLI User Manuals OC ADM(1)