feat: update kdp based on comments

Signed-off-by: Vishal Choudhary <[email protected]>

proposals/imageverificationpolicy.md

@@ -15,7 +15,7 @@
 - [Motivation](#motivation)
   - [Goals:](#goals)
 - [Proposal](#proposal)
-  - [Match Constraints](#match-constraints)
+  - [Match Images](#match-images)
   - [Images](#images)
   - [Attestors](#attestors)
   - [Attestations](#attestations)
@@ -41,10 +41,10 @@ This document proposes the new design for image verification policies.
 # Definitions
 [definitions]: #definitions
 
-1. **Image:** Images are static files that contain instructions for building a container and running an isolated process on a containerization platform.
+1. **Image:** An image is an archive containing application and all of its dependencies.
 2. **Metadata:** Metadata is used to describe software and the build environment. Provenance (origin) data, SBOMs, and vulnerability scan reports are the essential set of metadata required to assess security risks for software.
 3. **Attestation:**  Authenticated metadata is used to attest to the integrity of a software system. Both custom and standardized metadata can be converted into attestations.
-4. **Attester:** An identity, such as a key or certificate that confirms or verifies the authenticity of an image or an attestors
+4. **Attestor:** An identity, such as a key or certificate that confirms or verifies the authenticity of an image or an attestors
 
 # Motivation
 [motivation]: #motivation
@@ -70,17 +70,26 @@ metadata:
 spec:
   failurePolicy: Fail
   failureAction: Enforce
+  mutateDigest: true
+  verifyDigest: true
+  required: true
   matchConstraints:
     resourceRules:
     - apiGroups:   ["apps"]
       apiVersions: ["v1"]
       operations:  ["CREATE", "UPDATE"]
       resources:   ["pods"]
-    imageRules:
-      references:
-      - "ghcr.io/*"
-      expressions:
-      - $image == "nginx"
+  credentials:
+    secrets:
+    - regcred
+    helpers:
+    - amazon
+    - google
+  matchImages:
+    references:
+    - "ghcr.io/*"
+    expressions:
+    - $image == "nginx"
   images:
   - name: containers
     expression: request.object.spec.containers.image
@@ -127,19 +136,15 @@ It is split into following components:
 4. Attestations
 5. Verifications
 
-## Match Constraints
-Match constraints extends the `matchConstraints` block of Kubernetes' [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) by adding image related match criterias in it.
-`matchConstraints.imageRules` is a filter for the images that are processed by this policy. If image verification functions are executed on images that do not match these rules, they will be skipped. 
-`imageRules` has two fields:
-`references`, which is an array of globs which are matched against the image, if one of them match, then the policy is applied to the image. 
+## Match Images
+Match images adds a global image filtering criteria. Conditions defined in the `spec.matchImages` block are used in all the image verification CEL functions. If the image does not match a criteria, it is skipped. `matchImages` is a way of defining the scope of the policy. Match images is a required field.
+`matchImages` has two fields:
+`references`, which is an array of globs which are matched against the image, if one of them match, then the policy is applied to the image. This uses shell globbing syntax.
 `expresions` is a array of CEL expressions that are applied to the image, if one of the expressions return true. then the policy is applied to the image. The image is accessible in the CEL expression as `$image`. Custom functions such as `parseReference` is also present here.
 
-The `matchConstraints.imageRules` field is only considered by kyverno's image verification engine.
 ```yaml
-matchConstraints:
- resourceRules:
  # ...
- imageRules:
+ matchImages:
    references:
    - "ghcr.io/*"
    expressions: