If you run a private instance of Sigstore components, you can specify your own
TUF root by mounting your TUF root.json file into the container (for example
by mounting a Secret) and then pointing to it with –tuf-root argument as well
as using –tuf-mirror argument to point to where the TUF mirror is. There’s
an optional Secret
tuf-root that you can create with key
root that you can
root.json file in that gets mounted as
The webhook can be used to automatically validate that all the container images have been signed. The webhook also resolves the image tags to ensure the image being ran is not different from when it was admitted.
policy-controller admission controller will only validate resources in
namespaces that have chosen to opt-in. See the
Enable policy-controller Admission Controller for Namespaces instructions for more details.
ClusterImagePolicies by default every 10 hours.
Customize the resync period by using the
--policy-resync-period argument and
defining a duration for the
policy-webhook deployment. See the Golang time package’s ParseDuration for example duration string formats.
See the Configuring policy-controller ClusterImagePolicy instructions for more details on configuration.