adding tekton policy to verify cosigned image #1257
Conversation
Signed-off-by: arunvel1988 <aryan.arunachalam@gmail.com>
Signed-off-by: arunvel1988 <aryan.arunachalam@gmail.com>
|
@joebowbeer can you review PR |
|
@joebowbeer @mcs @poblahblahblah @fernferret can you please review. And why is it taking time to review code ? |
|
@JimBugwadia kindly help review PR |
|
@JimBugwadia is this project archived? kindly help as PR is pending for more than a month... kindly help |
|
Only speaking for me, I have no idea why I got mentioned. I am not too experienced with Kyverno policies and for that won't review / approve PRs if I have no direct relation to them. And as far as I see this, I couldn't approve that change even if I wanted to, because I am not a "reviewer with write access". |
|
@realshuting can you review |
|
@mcs can you review ? |
| spec: | ||
| containers: | ||
| - name: signed-container | ||
| image: index.docker.io/arunvel1988/signedimage:latest # Assumes this is a signed image |
There was a problem hiding this comment.
For sample policies, please use the Kyverno test images:
- ghcr.io/kyverno/test-verify-image:signed (see https://kyverno.io/policies/other/verify-image/verify-image/)
Its best to avoid dependencies on other repositories and registries.
| spec: | ||
| containers: | ||
| - name: unsigned-container | ||
| image: index.docker.io/arunvel1988/unsignedimage:latest # This is an unsigned image |
| any: | ||
| - resources: | ||
| kinds: | ||
| - Pod |
There was a problem hiding this comment.
This is simply verifying a Pod and not verifying a TaskRun. What is the intent?
| - Pod | ||
| verifyImages: | ||
| - image: "index.docker.io/arunvel1988/*" | ||
| key: "k8s://kyverno/cosign-key-secret" |
There was a problem hiding this comment.
Where is the secret configured?
| kinds: | ||
| - Pod | ||
| verifyImages: | ||
| - image: "index.docker.io/arunvel1988/*" |
There was a problem hiding this comment.
See comment above on images.
Related Issue(s)
Description
Checklist