All Policies
Verify Manifest Integrity
Verifying the integrity of resources is important to ensure no tampering has occurred, and in some cases this may need to be extended to certain YAML manifests deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with Sigstore and the signature(s) validated to prevent this tampering while still allowing some exceptions on a per-field basis. This policy verifies Deployments are signed with the expected key but ignores the `spec.replicas` field allowing other teams to change just this value.
Policy Definition
/other/verify-manifest-integrity/verify-manifest-integrity.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-manifest-integrity
5 annotations:
6 policies.kyverno.io/title: Verify Manifest Integrity
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Deployment
10 kyverno.io/kyverno-version: 1.8.0
11 policies.kyverno.io/minversion: 1.8.0
12 kyverno.io/kubernetes-version: "1.24"
13 policies.kyverno.io/description: >-
14 Verifying the integrity of resources is important to ensure no tampering has
15 occurred, and in some cases this may need to be extended to certain YAML manifests
16 deployed to Kubernetes. Starting in Kyverno 1.8, these manifests may be signed with
17 Sigstore and the signature(s) validated to prevent this tampering while still allowing
18 some exceptions on a per-field basis. This policy verifies Deployments are signed with
19 the expected key but ignores the `spec.replicas` field allowing other teams to change just
20 this value.
21spec:
22 validationFailureAction: Audit
23 background: true
24 rules:
25 - name: verify-deployment-allow-replicas
26 match:
27 any:
28 - resources:
29 kinds:
30 - Deployment
31 validate:
32 manifests:
33 attestors:
34 - count: 1
35 entries:
36 - keys:
37 publicKeys: |-
38 -----BEGIN PUBLIC KEY-----
39 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEStoX3dPCFYFD2uPgTjZOf1I5UFTa
40 1tIu7uoGoyTxJqqEq7K2aqU+vy+aK76uQ5mcllc+TymVtcLk10kcKvb3FQ==
41 -----END PUBLIC KEY-----
42 ignoreFields:
43 - objects:
44 - kind: Deployment
45 fields:
46 - spec.replicas