-
Notifications
You must be signed in to change notification settings - Fork 250
/
verify-flux-images.yaml
39 lines (39 loc) · 1.36 KB
/
verify-flux-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-flux-images
spec:
validationFailureAction: Audit
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/fluxcd/source-controller:*"
- "ghcr.io/fluxcd/kustomize-controller:*"
- "ghcr.io/fluxcd/helm-controller:*"
- "ghcr.io/fluxcd/notification-controller:*"
- "ghcr.io/fluxcd/image-reflector-controller:*"
- "ghcr.io/fluxcd/image-automation-controller:*"
- "docker.io/fluxcd/source-controller:*"
- "docker.io/fluxcd/kustomize-controller:*"
- "docker.io/fluxcd/helm-controller:*"
- "docker.io/fluxcd/notification-controller:*"
- "docker.io/fluxcd/image-reflector-controller:*"
- "docker.io/fluxcd/image-automation-controller:*"
mutateDigest: false
verifyDigest: false
attestors:
- entries:
- keyless:
subject: "https://github.com/fluxcd/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev