All Policies
Verify Image with Multiple Keys
There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap.
Policy Definition
/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-image-with-multi-keys
5 annotations:
6 policies.kyverno.io/title: Verify Image with Multiple Keys
7 policies.kyverno.io/category: Software Supply Chain Security
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.7.0
11 kyverno.io/kyverno-version: 1.7.2
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 There may be multiple keys used to sign images based on
15 the parties involved in the creation process. This image
16 verification policy requires the named image be signed by
17 two separate keys. It will search for a global "production"
18 key in a ConfigMap called `keys` in the `default` Namespace
19 and also a Namespace key in the same ConfigMap.
20spec:
21 validationFailureAction: Enforce
22 background: false
23 rules:
24 - name: check-image-with-two-keys
25 match:
26 any:
27 - resources:
28 kinds:
29 - Pod
30 context:
31 - name: keys
32 configMap:
33 name: keys
34 namespace: default
35 verifyImages:
36 - imageReferences:
37 - "ghcr.io/myorg/myimage*"
38 required: true
39 attestors:
40 - count: 2
41 entries:
42 - keys:
43 publicKeys: "{{ keys.data.production }}"
44 - keys:
45 publicKeys: "{{ keys.data.{{request.namespace}} }}"