1OC ADM(1)                          June 2016                         OC ADM(1)
2
3
4

NAME

6       oc  adm verify-image-signature - Verify the image identity contained in
7       the image signature
8
9
10

SYNOPSIS

12       oc adm verify-image-signature [OPTIONS]
13
14
15

DESCRIPTION

17       Verifies the image signature of an image imported to internal  registry
18       using the local public GPG key.
19
20
21       This command verifies if the image identity contained in the image sig‐
22       nature can be trusted by using the public GPG key to verify the  signa‐
23       ture  itself and matching the provided expected identity with the iden‐
24       tity (pull spec) of the given image. By default, this command will  use
25       the public GPG keyring located in "$GNUPGHOME/.gnupg/pubring.gpg"
26
27
28       By  default,  this command will not save the result of the verification
29       back to the image object, to do so user have to  specify  the  "--save"
30       flag. Note that to modify the image signature verification status, user
31       have  to  have  permissions  to  edit  an  image  object  (usually   an
32       "image-auditor" role).
33
34
35       Note  that  using  the "--save" flag on already verified image together
36       with invalid GPG key or invalid expected identity will cause the  saved
37       verification  status  to  be removed and the image will become "unveri‐
38       fied".
39
40
41       If this command is outside the  cluster,  users  have  to  specify  the
42       "--registry-url" parameter with the public URL of image registry.
43
44
45       To remove all verifications, users can use the "--remove-all" flag.
46
47
48

OPTIONS

50       --expected-identity=""
51           An expected image docker reference to verify (required).
52
53
54       --insecure=false
55           If set, use the insecure protocol for registry communication.
56
57
58       --public-key="pubring.gpg"
59           A  path  to a public GPG key to be used for verification. (defaults
60       to "pubring.gpg")
61
62
63       --registry-url=""
64           The address to use when contacting the registry, instead  of  using
65       the  internal  cluster  address. This is useful if you can't resolve or
66       reach the internal registry address.
67
68
69       --remove-all=false
70           If set, all signature verifications will be removed from the  given
71       image.
72
73
74       --save=false
75           If  true,  the result of the verification will be saved to an image
76       object.
77
78
79

OPTIONS INHERITED FROM PARENT COMMANDS

81       --allow_verification_with_non_compliant_keys=false
82           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
83       non-compliant with RFC6962.
84
85
86       --alsologtostderr=false
87           log to standard error as well as files
88
89
90       --application_metrics_count_limit=100
91           Max number of application metrics to store (per container)
92
93
94       --as=""
95           Username to impersonate for the operation
96
97
98       --as-group=[]
99           Group  to  impersonate for the operation, this flag can be repeated
100       to specify multiple groups.
101
102
103       --azure-container-registry-config=""
104           Path to the file containing Azure container registry  configuration
105       information.
106
107
108       --boot_id_file="/proc/sys/kernel/random/boot_id"
109           Comma-separated  list  of files to check for boot-id. Use the first
110       one that exists.
111
112
113       --cache-dir="/builddir/.kube/http-cache"
114           Default HTTP cache directory
115
116
117       --certificate-authority=""
118           Path to a cert file for the certificate authority
119
120
121       --client-certificate=""
122           Path to a client certificate file for TLS
123
124
125       --client-key=""
126           Path to a client key file for TLS
127
128
129       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
130           CIDRs opened in GCE firewall for LB traffic proxy  health checks
131
132
133       --cluster=""
134           The name of the kubeconfig cluster to use
135
136
137       --container_hints="/etc/cadvisor/container_hints.json"
138           location of the container hints file
139
140
141       --containerd="unix:///var/run/containerd.sock"
142           containerd endpoint
143
144
145       --context=""
146           The name of the kubeconfig context to use
147
148
149       --default-not-ready-toleration-seconds=300
150           Indicates    the    tolerationSeconds   of   the   toleration   for
151       notReady:NoExecute that is added by default to every pod that does  not
152       already have such a toleration.
153
154
155       --default-unreachable-toleration-seconds=300
156           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
157       able:NoExecute that is added by default to  every  pod  that  does  not
158       already have such a toleration.
159
160
161       --docker="unix:///var/run/docker.sock"
162           docker endpoint
163
164
165       --docker-tls=false
166           use TLS to connect to docker
167
168
169       --docker-tls-ca="ca.pem"
170           path to trusted CA
171
172
173       --docker-tls-cert="cert.pem"
174           path to client certificate
175
176
177       --docker-tls-key="key.pem"
178           path to private key
179
180
181       --docker_env_metadata_whitelist=""
182           a  comma-separated  list of environment variable keys that needs to
183       be collected for docker containers
184
185
186       --docker_only=false
187           Only report docker containers in addition to root stats
188
189
190       --docker_root="/var/lib/docker"
191           DEPRECATED: docker root is read from docker info (this is  a  fall‐
192       back, default: /var/lib/docker)
193
194
195       --enable_load_reader=false
196           Whether to enable cpu load reader
197
198
199       --event_storage_age_limit="default=24h"
200           Max length of time for which to store events (per type). Value is a
201       comma separated list of key values, where  the  keys  are  event  types
202       (e.g.: creation, oom) or "default" and the value is a duration. Default
203       is applied to all non-specified event types
204
205
206       --event_storage_event_limit="default=100000"
207           Max number of events to store (per type). Value is  a  comma  sepa‐
208       rated  list  of  key values, where the keys are event types (e.g.: cre‐
209       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
210       applied to all non-specified event types
211
212
213       --global_housekeeping_interval=0
214           Interval between global housekeepings
215
216
217       --housekeeping_interval=0
218           Interval between container housekeepings
219
220
221       --insecure-skip-tls-verify=false
222           If true, the server's certificate will not be checked for validity.
223       This will make your HTTPS connections insecure
224
225
226       --kubeconfig=""
227           Path to the kubeconfig file to use for CLI requests.
228
229
230       --log-flush-frequency=0
231           Maximum number of seconds between log flushes
232
233
234       --log_backtrace_at=:0
235           when logging hits line file:N, emit a stack trace
236
237
238       --log_cadvisor_usage=false
239           Whether to log the usage of the cAdvisor container
240
241
242       --log_dir=""
243           If non-empty, write log files in this directory
244
245
246       --logtostderr=true
247           log to standard error instead of files
248
249
250       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
251           Comma-separated list of files to  check  for  machine-id.  Use  the
252       first one that exists.
253
254
255       --match-server-version=false
256           Require server version to match client version
257
258
259       -n, --namespace=""
260           If present, the namespace scope for this CLI request
261
262
263       --request-timeout="0"
264           The  length  of  time  to  wait before giving up on a single server
265       request. Non-zero values should contain a corresponding time unit (e.g.
266       1s, 2m, 3h). A value of zero means don't timeout requests.
267
268
269       -s, --server=""
270           The address and port of the Kubernetes API server
271
272
273       --stderrthreshold=2
274           logs at or above this threshold go to stderr
275
276
277       --storage_driver_buffer_duration=0
278           Writes  in  the  storage driver will be buffered for this duration,
279       and committed to the non memory backends as a single transaction
280
281
282       --storage_driver_db="cadvisor"
283           database name
284
285
286       --storage_driver_host="localhost:8086"
287           database host:port
288
289
290       --storage_driver_password="root"
291           database password
292
293
294       --storage_driver_secure=false
295           use secure connection with database
296
297
298       --storage_driver_table="stats"
299           table name
300
301
302       --storage_driver_user="root"
303           database username
304
305
306       --token=""
307           Bearer token for authentication to the API server
308
309
310       --user=""
311           The name of the kubeconfig user to use
312
313
314       -v, --v=0
315           log level for V logs
316
317
318       --version=false
319           Print version information and quit
320
321
322       --vmodule=
323           comma-separated list of pattern=N settings for  file-filtered  log‐
324       ging
325
326
327

EXAMPLE

329                # Verify the image signature and identity using the local GPG keychain
330                oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
331                --expected-identity=registry.local:5000/foo/bar:v1
332
333                # Verify the image signature and identity using the local GPG keychain and save the status
334                oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
335                --expected-identity=registry.local:5000/foo/bar:v1 --save
336
337                # Verify the image signature and identity via exposed registry route
338                oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
339                --expected-identity=registry.local:5000/foo/bar:v1 \
340                --registry-url=docker-registry.foo.com
341
342                # Remove all signature verifications from the image
343                oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
344
345
346
347

SEE ALSO

349       oc-adm(1),
350
351
352

HISTORY

354       June 2016, Ported from the Kubernetes man-doc generator
355
356
357
358Openshift                  Openshift CLI User Manuals                OC ADM(1)
Impressum