Back to Policies

Require Signed Tekton Pipeline

A signed bundle is required

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: signed-pipeline-bundle
  annotations:
    policies.kyverno.io/title: Require Signed Tekton Pipeline
    policies.kyverno.io/category: Tekton
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: PipelineRun
    kyverno.io/kyverno-version: 1.7.2
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: A signed bundle is required
spec:
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
    - name: check-signature
      match:
        resources:
          kinds:
            - PipelineRun
      imageExtractors:
        PipelineRun:
          - name: pipelineruns
            path: /spec/pipelineRef
            value: bundle
            key: name
      verifyImages:
        - imageReferences:
            - "*"
          attestors:
            - entries:
                - keys:
                    publicKeys: |-
                      -----BEGIN PUBLIC KEY-----
                      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/
                      gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg==
                      -----END PUBLIC KEY-----

Related Policies

Verify ImagesMedium

Verify Flux Images

Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process.

GitRepository
ValidateMedium

Block Tekton TaskRun

Restrict creation of TaskRun resources to the Tekton pipelines controller.

TaskRun
ValidateMedium

Require Tekton Bundle

PipelineRun and TaskRun resources must be executed from a bundle

TaskRun