...
Code Block |
---|
helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm install kyverno-policies-n ncyd-flux kyverno kyverno/kyverno-policies -n ncyd-flux |
Code Block |
---|
apiVersion: kyverno.io/v1 kind: ClusterPolicyPolicy metadata: name: check-signed-imagesimage spec: validationFailureAction: Enforce background: false webhookTimeoutSeconds: 30 failurePolicy: Fail rules: - name: check-image-signature match: any: - resources: kinds: - Pod verifyImages: - imageReferences: - "ncydacrinprogress.azurecr.io/cloudhut/kowl:*" # - "ncydacrinprogress.azurecr.io/*" attestors: - count: 1 # Replace with your own public key entries: - keys: keypublicKeys: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6887939UfT9OPMHvST7OBfT1xAva iRPbB1Hyar+nFCUWVvX7EviEPLxTZRNQ2A4OPKAkDo1e3HI8OFTr9ZAIyQ== -----END PUBLIC KEY----- # or key: ???? secret ???? |
...