Back to Policies

Require Signed Tekton Pipeline

A signed bundle is required

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: signed-pipeline-bundle
  annotations:
    policies.kyverno.io/title: Require Signed Tekton Pipeline
    policies.kyverno.io/category: Tekton
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: PipelineRun
    kyverno.io/kyverno-version: 1.7.2
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: A signed bundle is required
spec:
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
    - name: check-signature
      match:
        resources:
          kinds:
            - PipelineRun
      imageExtractors:
        PipelineRun:
          - name: pipelineruns
            path: /spec/pipelineRef
            value: bundle
            key: name
      verifyImages:
        - imageReferences:
            - "*"
          attestors:
            - entries:
                - keys:
                    publicKeys: |-
                      -----BEGIN PUBLIC KEY-----
                      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/
                      gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg==
                      -----END PUBLIC KEY-----

Related Policies

Verify ImagesMedium

Verify Flux Images

Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process.

GitRepository
Verify ImagesMedium

Require Image Vulnerability Scans

An important part of ensuring software supply chain integrity is performing periodic vulnerability scans on images. Initial scans as part of the build process is necessary, but as new vulnerabilities are discovered the scans must be refreshed. This policy ensures that images, signed with Cosign's keyless ability during a GitHub Actions workflow, have attested vulnerability scans not older than one week. This policy is expected to be customized based upon your signing strategy and applicable to the images you designate.

Pod
Verify ImagesMedium

Verify Image

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature of an image repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys.

Pod