...
Code Block |
---|
helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm install -n ncyd-flux kyverno kyverno/kyverno |
Update the kyverno deployment
Code Block |
---|
f edit deployment/kyverno-admission-controller |
Code Block |
---|
containers:
- args:
...
- --imagePullSecrets=regcred
|
Code Block |
---|
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: check-image
spec:
validationFailureAction: Enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: check-image
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ncydacrinprogress.azurecr.io/cloudhut/kowl:*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6887939UfT9OPMHvST7OBfT1xAva
iRPbB1Hyar+nFCUWVvX7EviEPLxTZRNQ2A4OPKAkDo1e3HI8OFTr9ZAIyQ==
-----END PUBLIC KEY-----
# or
key: ???? secret ????
|
https://kyverno.io/docs/writing-policies/verify-images/sigstore/
Note
The public key may either be defined in the policy directly or reference a standard Kubernetes Secret elsewhere in the cluster by specifying it in the format
k8s://<namespace>/<secret_name>
. The named Secret must specify a keycosign.pub
containing the public key used for verification. Secrets may also be referenced using thesecret{}
object. Seekubectl explain clusterpolicy.spec.rules.verifyImages.attestors.entries.keys
for more details on the supported key options.
...