All Policies
Verify Image
Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature of an image repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys.
Policy Definition
/other/verify-image/verify-image.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-image
5 annotations:
6 policies.kyverno.io/title: Verify Image
7 policies.kyverno.io/category: Software Supply Chain Security, EKS Best Practices
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.7.0
11 policies.kyverno.io/description: >-
12 Using the Cosign project, OCI images may be signed to ensure supply chain
13 security is maintained. Those signatures can be verified before pulling into
14 a cluster. This policy checks the signature of an image repo called
15 ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying
16 its signature against the provided public key. This policy serves as an illustration for
17 how to configure a similar rule and will require replacing with your image(s) and keys.
18spec:
19 validationFailureAction: enforce
20 background: false
21 rules:
22 - name: verify-image
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 verifyImages:
29 - imageReferences:
30 - "ghcr.io/kyverno/test-verify-image*"
31 mutateDigest: true
32 attestors:
33 - entries:
34 - keys:
35 publicKeys: |
36 -----BEGIN PUBLIC KEY-----
37 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
38 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
39 -----END PUBLIC KEY-----