All Policies
Require Signed Tekton Pipeline
A signed bundle is required
Policy Definition
/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: signed-pipeline-bundle
5 annotations:
6 policies.kyverno.io/title: Require Signed Tekton Pipeline
7 policies.kyverno.io/category: Tekton
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: PipelineRun
10 kyverno.io/kyverno-version: 1.7.2
11 policies.kyverno.io/minversion: 1.7.0
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 A signed bundle is required
15spec:
16 validationFailureAction: Enforce
17 webhookTimeoutSeconds: 30
18 rules:
19 - name: check-signature
20 match:
21 resources:
22 kinds:
23 - PipelineRun
24 imageExtractors:
25 PipelineRun:
26 - name: "pipelineruns"
27 path: /spec/pipelineRef
28 value: "bundle"
29 key: "name"
30 verifyImages:
31 - imageReferences:
32 - "*"
33 attestors:
34 - entries:
35 - keys:
36 publicKeys: |-
37 -----BEGIN PUBLIC KEY-----
38 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/
39 gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg==
40 -----END PUBLIC KEY-----