All Policies
Verify Image
Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature of an image repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys.
Policy Definition
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: verify-image
5 annotations:
6 policies.kyverno.io/title: Verify Image
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.4.2
11 policies.kyverno.io/description: >-
12 Using the Cosign project, OCI images may be signed to ensure supply chain
13 security is maintained. Those signatures can be verified before pulling into
14 a cluster. This policy checks the signature of an image repo called
15 ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying
16 its signature against the provided public key. This policy serves as an illustration for
17 how to configure a similar rule and will require replacing with your image(s) and keys.
18spec:
19 validationFailureAction: enforce
20 background: false
21 rules:
22 - name: verify-image
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 verifyImages:
29 - image: "ghcr.io/kyverno/test-verify-image:*"
30 key: |-
31 -----BEGIN PUBLIC KEY-----
32 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
33 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
34 -----END PUBLIC KEY-----