All Policies

Verify Image

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature of an image repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys.

Policy Definition

/other/verify-image/verify-image.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: verify-image 5 annotations: 6 policies.kyverno.io/title: Verify Image 7 policies.kyverno.io/category: Software Supply Chain Security, EKS Best Practices 8 policies.kyverno.io/severity: medium 9 policies.kyverno.io/subject: Pod 10 policies.kyverno.io/minversion: 1.7.0 11 policies.kyverno.io/description: >- 12 Using the Cosign project, OCI images may be signed to ensure supply chain 13 security is maintained. Those signatures can be verified before pulling into 14 a cluster. This policy checks the signature of an image repo called 15 ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying 16 its signature against the provided public key. This policy serves as an illustration for 17 how to configure a similar rule and will require replacing with your image(s) and keys. 18spec: 19 validationFailureAction: Enforce 20 background: false 21 rules: 22 - name: verify-image 23 match: 24 any: 25 - resources: 26 kinds: 27 - Pod 28 verifyImages: 29 - imageReferences: 30 - "ghcr.io/kyverno/test-verify-image*" 31 mutateDigest: true 32 attestors: 33 - entries: 34 - keys: 35 publicKeys: | 36 -----BEGIN PUBLIC KEY----- 37 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM 38 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== 39 -----END PUBLIC KEY-----
yaml