0

I am new to kubernetes. I am trying to sign the Docker image with Cosign and verify the image using Kyverno Admission controller. But in my setup, Kyverno admission controller allows unsigned images into cluster.

Kyverno policy file,

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: kyverno
  namespace: kyverno
spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: kyverno
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - imageReferences:
        - "localhost:5000/nginx_signed"
        attestors:
        - entries:
          - keyless:
              subject: "xxx@gmail.com"
              issuer: "https://accounts.google.com"
              rekor:
               url: "https://rekor.sigstore.dev"

I am following this tutorial for verifying image using Kyverno,

https://kyverno.io/docs/writing-policies/verify-images/sigstore/

In my setup, the first example mentioned in the above tutorial works for me as expected. But when I am using my policy file and keyless signing method, the Kyverno admission controller is not working and pod is created with unsigned image.

Som
  • 3

1 Answers1

0

The reason why this is happening is because the verifyImages.imageReferences is not set properly.

The image you are using has a tag or a digest in the end as well but your image reference does not match those. Right now it only matches when image is exactly the string localhost:5000/nginx_signed

You should update image reference to localhost:5000/nginx_signed* so that it matches localhost:5000/nginx_signed:<ANY-TAG> or localhost:5000/nginx_signed@sha256:<DIGEST-HASH>.

I Would also suggest that you post questions related to Kyverno on Kyverno channel in Kubernetes slack: https://slack.k8s.io/#kyverno

vishal-chdhry
  • 16