All Policies

Verify Manifest Integrity

Verifying the integrity of resources is important to ensure no tampering has occurred, and in some cases this may need to be extended to certain YAML manifests deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with Sigstore and the signature(s) validated to prevent this tampering while still allowing some exceptions on a per-field basis. This policy verifies Deployments are signed with the expected key but ignores the `spec.replicas` field allowing other teams to change just this value.

Policy Definition

/other/verify-manifest-integrity/verify-manifest-integrity.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-manifest-integrity
 5  annotations:
 6    policies.kyverno.io/title: Verify Manifest Integrity
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment
10    kyverno.io/kyverno-version: 1.8.0
11    policies.kyverno.io/minversion: 1.8.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      Verifying the integrity of resources is important to ensure no tampering has
15      occurred, and in some cases this may need to be extended to certain YAML manifests
16      deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with
17      Sigstore and the signature(s) validated to prevent this tampering while still allowing
18      some exceptions on a per-field basis. This policy verifies Deployments are signed with
19      the expected key but ignores the `spec.replicas` field allowing other teams to change just
20      this value.      
21spec:
22  validationFailureAction: Audit
23  background: true
24  rules:
25    - name: verify-deployment-allow-replicas
26      match:
27        any:
28        - resources:
29            kinds:
30              - Deployment
31      validate:
32        manifests:
33          attestors:
34          - count: 1
35            entries:
36            - keys:
37                publicKeys: |-
38                  -----BEGIN PUBLIC KEY-----
39                  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEStoX3dPCFYFD2uPgTjZOf1I5UFTa
40                  1tIu7uoGoyTxJqqEq7K2aqU+vy+aK76uQ5mcllc+TymVtcLk10kcKvb3FQ==
41                  -----END PUBLIC KEY-----                  
42          ignoreFields:
43          - objects:
44            - kind: Deployment
45            fields:
46            - spec.replicas