d2c505738f
Ref: https://github.com/kyverno/kyverno/issues/6123 Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>
45 lines
1.8 KiB
YAML
45 lines
1.8 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: Policy
|
|
metadata:
|
|
name: cosign
|
|
namespace: "{{ .Release.Namespace }}"
|
|
annotations:
|
|
"helm.sh/hook": post-install, post-upgrade
|
|
"helm.sh/hook-weight": "4" # Higher precidence, so the first the config map will get created.
|
|
spec:
|
|
# validationFailureAction: enforce
|
|
validationFailureAction: audit
|
|
background: false
|
|
webhookTimeoutSeconds: 30
|
|
# failurePolicy: Fail
|
|
failurePolicy: Ignore
|
|
rules:
|
|
- name: openreplay-image-signature
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
- Deployment
|
|
verifyImages:
|
|
- imageReferences:
|
|
- "public.ecr.aws/p1t3u8a3/*"
|
|
attestors:
|
|
- count: 1
|
|
entries:
|
|
- keys:
|
|
publicKeys: |-
|
|
-----BEGIN PUBLIC KEY-----
|
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoLidzRiNIO3l/sWCYw2f
|
|
Ct71YSj7UVerhbR81TNEKYtW0fUqg4GagS+esprcXteHPoBI+ZcfL2xJIs0ZNHZs
|
|
A+2VXYrsFRgREtABFCwJ2G51ybusoS3jpBsAmSNjG0uzseDxQMTh0arNOlNbhbmI
|
|
Tj1ty2JfyLejDKlxavXheKmJGb+7IdDCMmP3f5mXSsJpsOM8SJo49BkvKhTwzjc0
|
|
01dsSLo5mk9jeG2C6UvPCQeMIUKaf5GlYWyFx7vLZ+z5be9TPuWDH4GO0RtxJVXt
|
|
tqmk32aKe+0KDLH0ak9WRVz3ugYEjs+tqdO3y3ALLoGAAI+yGxGSfWFDnDj5AXpA
|
|
2/XYSJAWRzPu35/H3laSrxaApYWN5an69jI30JY7SoEy/k+10oIGe2FGIihXTdq+
|
|
As3IKPEtvuN9s3RTm2ujV/7rEnVVKWiHvQCwH8rxhsbDTeJCoNs8hSBUq1Muttct
|
|
EWML8s/TCIK01PyvH6VNQSnc+lRKAJOd5NpZ/SVMXBbrykCQSZPE8RcaQum3nMxE
|
|
Tri24VcWfRHj1WwUYzxpmoVE5F1lw0lqQIXlwz+AFhCLGsePSkjFShFtNFQuX22r
|
|
Q73JTt3FX4JEzaaKC5BZwXmkEs3MVpQj43HuEqDyejlsPWwRBYwZIzXpoBhOCFHD
|
|
t4PI8n+1dSE+uavu/ijgXl8CAwEAAQ==
|
|
-----END PUBLIC KEY-----
|