Implement a Kyverno policy to check signatures in a cluster
What does this MR do and why?
Verify the signature of the upstream images when signed (the signatures are stored in the OCI registry of sylva-core)
.
Signing an image is meant to address the security need of integrity, i.e. it mitigates the risk to deploy an image tag that has been tampered.
It covers the risk of a stakeholder being compromised.
The verification flow is detailed here (cc @loic.nicolle ): https://gitlab.com/sylva-projects/sylva-core/-/blob/39-implement-a-kyverno-policy-to-enforce-verified-signatures-in-a-cluster/docs/cosign.md?ref_type=heads#upstream-images-signatures
IMPORTANT NOTICE: Since none of the upstream images is currently trusted, i.e.signed, the image verification is disabled in this MR. cc @alain.thioliere @tmmorin
closes issue #1450
Related reference(s)
- https://github.com/sigstore/cosign#specifying-registry
- https://kyverno.io/docs/writing-policies/verify-images/sigstore/#using-a-signature-repository
Test coverage
Tested with few images signed (without proper validation, so just for the sake of validating this MR workflow):
- Deploying a keycloak and vault image without a signature is allowed but logged when policy is in Audit mode.
- Deploying a keycloak and vault image without a signature fails when policy is enforced.