diff --git a/content/en/docs/Writing policies/verify-images/notary/_index.md b/content/en/docs/Writing policies/verify-images/notary/_index.md index 9ebdb4e9f..9754908b6 100644 --- a/content/en/docs/Writing policies/verify-images/notary/_index.md +++ b/content/en/docs/Writing policies/verify-images/notary/_index.md @@ -140,4 +140,91 @@ You can manage public keys and certificates as external data in a ConfigMap. See ## Verifying Image Attestations -Kyverno does not support verifying attestations signed by Notary. This feature is being implemented and scheduled for the [next minor release](https://github.com/kyverno/kyverno/milestones?direction=asc&sort=due_date&state=open). +Consider the following image: `ghcr.io/kyverno/test-verify-image:signed` + +``` +ghcr.io/kyverno/test-verify-image:signed +├── application/vnd.cncf.notary.signature +│ └── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265 +├── vulnerability-scan +│ └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd +│ └── application/vnd.cncf.notary.signature +│ └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3 +└── sbom/cyclone-dx + └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414 + └── application/vnd.cncf.notary.signature + └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322 +``` + +This image has: + +1. A notary signature. +2. A vulnerability scan report, signed using notary. +3. A CycloneDX SBOM, signed using notary. +This policy checks the signature in the repo `ghcr.io/kyverno/test-verify-image` and ensures that it has been signed by verifying its signature against the provided certificates: + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image-attestation +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: verify-attestation-notary + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: kyverno + verifyImages: + - type: Notary + imageReferences: + - "ghcr.io/kyverno/test-verify-image*" + attestations: + - type: sbom/cyclone-dx + attestors: + - entries: + - certificates: + cert: |- + -----BEGIN CERTIFICATE----- + MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV + BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG + Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx + MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0 + dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+ + b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL + hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m + Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0 + Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f + ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG + A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G + CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9 + kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8 + Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF + ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ + 5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 + uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz + -----END CERTIFICATE----- + conditions: + - all: + - key: "{{ components[].licenses[].expression }}" + operator: AllIn + value: ["GPL-3.0"] + +``` + +After this policy is applied, Kyverno will verify the signature on the sbom/cyclone-dx attestation and check if the license version of all the components in the SBOM is `GPL-3.0`. + +```sh +kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=server +pod/test created (server dry run) +``` \ No newline at end of file