A signed bundle is required
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: signed-pipeline-bundleannotations:policies.kyverno.io/title: Require Signed Tekton Pipelinepolicies.kyverno.io/category: Tektonpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: PipelineRunkyverno.io/kyverno-version: 1.7.2policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: A signed bundle is requiredspec:validationFailureAction: EnforcewebhookTimeoutSeconds: 30rules:- name: check-signaturematch:resources:kinds:- PipelineRunimageExtractors:PipelineRun:- name: pipelinerunspath: /spec/pipelineRefvalue: bundlekey: nameverifyImages:- imageReferences:- "*"attestors:- entries:- keys:publicKeys: |------BEGIN PUBLIC KEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEahmSvGFmxMJABilV1usgsw6ImcQ/gDaxw57Sq+uNGHW8Q3zUSx46PuRqdTI+4qE3Ng2oFZgLMpFN/qMrP0MQQg==-----END PUBLIC KEY-----
Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process.
Provenance is used to identify how an artifact was produced and from where it originated. SLSA provenance is an industry-standard method of representing that provenance. This policy verifies that an image has SLSA provenance and was signed by the expected subject and issuer when produced through GitHub Actions. It requires configuration based upon your own values.
An important part of ensuring software supply chain integrity is performing periodic vulnerability scans on images. Initial scans as part of the build process is necessary, but as new vulnerabilities are discovered the scans must be refreshed. This policy ensures that images, signed with Cosign's keyless ability during a GitHub Actions workflow, have attested vulnerability scans not older than one week. This policy is expected to be customized based upon your signing strategy and applicable to the images you designate.