All Policies
Verify SLSA Provenance (Keyless)
Provenance is used to identify how an artifact was produced and from where it originated. SLSA provenance is an industry-standard method of representing that provenance. This policy verifies that an image has SLSA provenance and was signed by the expected subject and issuer when produced through GitHub Actions. It requires configuration based upon your own values.
Policy Definition
/other/verify-image-slsa/verify-image-slsa.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-slsa-provenance-keyless
5 annotations:
6 policies.kyverno.io/title: Verify SLSA Provenance (Keyless)
7 policies.kyverno.io/category: Software Supply Chain Security
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.8.3
11 kyverno.io/kyverno-version: 1.9.0
12 kyverno.io/kubernetes-version: "1.24"
13 policies.kyverno.io/description: >-
14 Provenance is used to identify how an artifact was produced
15 and from where it originated. SLSA provenance is an industry-standard
16 method of representing that provenance. This policy verifies that an
17 image has SLSA provenance and was signed by the expected subject and issuer
18 when produced through GitHub Actions. It requires configuration based upon
19 your own values.
20spec:
21 validationFailureAction: Audit
22 webhookTimeoutSeconds: 30
23 rules:
24 - name: check-slsa-keyless
25 match:
26 any:
27 - resources:
28 kinds:
29 - Pod
30 verifyImages:
31 - imageReferences:
32 - "myreg.org/path/repo:*"
33 attestations:
34 - predicateType: https://slsa.dev/provenance/v0.2
35 attestors:
36 - count: 1
37 entries:
38 - keyless:
39 subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v*"
40 issuer: "https://token.actions.githubusercontent.com"
41 rekor:
42 url: https://rekor.sigstore.dev
43 conditions:
44 - all:
45 # This expression uses a regex pattern to ensure the builder.id in the attestation is equal to the official
46 # SLSA provenance generator workflow and uses a tagged release in semver format. If using a specific SLSA
47 # provenance generation workflow, you may need to adjust the first input as necessary.
48 - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9].[0-9].[0-9]$','{{ builder.id}}') }}"
49 operator: Equals
50 value: true