The following covers the default “bindir” ImageVerifier plugin implementation.
To enable image verification, add a stanza like the following to the containerd config:
[plugins] [plugins."io.containerd.image-verifier.v1.bindir"] bin_dir = "/opt/containerd/image-verifier/bin" max_verifiers = 10 per_verifier_timeout = "10s"
All files in bin_dir, if it exists, must be verifier executables which conform to the following API.
-name: The given reference to the image that may be pulled.-digest: The resolved digest of the image that may be pulled.-stdin-media-type: The media type of the JSON data passed to stdin.A JSON encoded payload is passed to the verifier binary's standard input. The media type of this payload is specified by the -stdin-media-type CLI argument, and may change in future versions of containerd. Currently, the payload has a media type of application/vnd.oci.descriptor.v1+json and represents the OCI Content Descriptor of the image that may be pulled. See the OCI specification for more details.
Print to standard output a reason for the image pull judgement.
Return an exit code of 0 to allow the image to be pulled and any other exit code to block the image from being pulled.
bin_dir does not exist or contains no files, the image verifier does not block image pulls.AND operator.per_verifier_timeout or fails to exec, the verification fails with an error and a nil judgement is returned.max_verifiers < 0, there is no imposed limit on the number of image verifiers called.max_verifiers >= 0, there is a limit imposed on the number of image verifiers called. The entries in bin_dir are lexicographically sorted by name, and the first n = max_verifiers of the verifiers will be called, and the rest will be skipped.