apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-signed-image annotations: policies.kyverno.io/title: Verify Signed Images policies.kyverno.io/category: Security policies.kyverno.io/severity: high policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Validates signed images against specified certificates spec: validationFailureAction: audit failurePolicy: Ignore background: false webhookTimeoutSeconds: 30 rules: - name: verify-image-quay-io-gnunn-client match: any: - resources: kinds: - Pod verifyImages: - image: "quay.io/gnunn/client:*" key: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ== -----END PUBLIC KEY----- - name: verify-image-quay-io-gnunn-server match: any: - resources: kinds: - Pod verifyImages: - image: "quay.io/gnunn/server:*" key: |- -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ== -----END PUBLIC KEY-----