There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: verify-image-with-multi-keysannotations:policies.kyverno.io/title: Verify Image with Multiple Keyspolicies.kyverno.io/category: Software Supply Chain Securitypolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.7.0kyverno.io/kyverno-version: 1.7.2kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap.spec:validationFailureAction: Enforcebackground: falserules:- name: check-image-with-two-keysmatch:any:- resources:kinds:- Podcontext:- name: keysconfigMap:name: keysnamespace: defaultverifyImages:- imageReferences:- ghcr.io/myorg/myimage*required: trueattestors:- count: 2entries:- keys:publicKeys: "{{ keys.data.production }}"- keys:publicKeys: "{{ keys.data.{{request.namespace}} }}"
Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process.
An important part of ensuring software supply chain integrity is performing periodic vulnerability scans on images. Initial scans as part of the build process is necessary, but as new vulnerabilities are discovered the scans must be refreshed. This policy ensures that images, signed with Cosign's keyless ability during a GitHub Actions workflow, have attested vulnerability scans not older than one week. This policy is expected to be customized based upon your signing strategy and applicable to the images you designate.
CVE-2022-42889 is a critical vulnerability in the Apache Commons Text library which could lead to arbitrary code executions and occurs in versions 1.5 through 1.9. Detecting the affected package may be done in an SBOM by identifying the "commons-text" package with one of the affected versions. This policy checks attested SBOMs in CycloneDX format of an image specified under `imageReferences` and denies it if it contains versions 1.5-1.9 of the commons-text package. Using this for your own purposes will require customizing the `imageReferences`, `subject`, and `issuer` fields based on your image signatures and attestations.