Back to Policies

Verify Flux Images

Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-flux-images
  annotations:
    policies.kyverno.io/title: Verify Flux Images
    policies.kyverno.io/category: Flux
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.6.2
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: GitRepository
    policies.kyverno.io/description: Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security  of the Flux deployment process.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: verify-cosign-signature
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - ghcr.io/fluxcd/source-controller:*
            - ghcr.io/fluxcd/kustomize-controller:*
            - ghcr.io/fluxcd/helm-controller:*
            - ghcr.io/fluxcd/notification-controller:*
            - ghcr.io/fluxcd/image-reflector-controller:*
            - ghcr.io/fluxcd/image-automation-controller:*
            - docker.io/fluxcd/source-controller:*
            - docker.io/fluxcd/kustomize-controller:*
            - docker.io/fluxcd/helm-controller:*
            - docker.io/fluxcd/notification-controller:*
            - docker.io/fluxcd/image-reflector-controller:*
            - docker.io/fluxcd/image-automation-controller:*
          mutateDigest: false
          verifyDigest: false
          attestors:
            - entries:
                - keyless:
                    subject: https://github.com/fluxcd/*
                    issuer: https://token.actions.githubusercontent.com
                    rekor:
                      url: https://rekor.sigstore.dev

Related Policies

GenerateMedium

Generate Flux Multi-Tenant Resources

As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.

ServiceAccount
ValidateMedium

Verify Flux Sources

Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location.

GitRepository
ValidateMedium

Verify Git Repositories

Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments.

GitRepository