Back to catalog

Red Hat images must be signed by a Red Hat release key

No violationsstackroxhighbuilddeploy

Alert when Red Hat images are not digitally signed by Red Hat

Rationale
Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.
Remediation
Confirm the authenticity of the image by reaching out to Red Hat support.
CategoriesSupply Chain Security
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.5.1
DORA EU 2022/2554
Art. 28.1
ISO/IEC 27001 2022
A.8.25
NIST SP 800-53 rev. 5
SR-11SR-4
PCI DSS 4.0
6.4.3
SOC 2 2017 TSC
CC6.8

Generated artifacts

3 of 5 targets supported
red-hat-images-must-be-signed-by-a-red-hat-release-key.yaml
# TODO: configure cosign in opserapol.config.yaml (cosign.method: key|keyless) — this rule ships with PLACEHOLDER attestor values and will block every image until configured.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: red-hat-images-must-be-signed-by-a-red-hat-release-key
  annotations:
    policies.kyverno.io/title: Red Hat images must be signed by a Red Hat release key
    policies.kyverno.io/category: Supply Chain Security
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: Alert when Red Hat images are not digitally signed by Red Hat
    policies.kyverno.io/remediation: Confirm the authenticity of the image by reaching out to Red Hat support.
    policies.kyverno.io/rationale: Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.
    policies.io/source: stackrox
    policies.io/source-id: c6fd7cb3-de34-4918-be4c-370006330357
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: red-hat-images-must-be-signed-by-a-red-hat-re-verify-signature
      match: &a1
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "*"
          verifyDigest: true
          required: true
          attestors:
            - entries:
                - keyless:
                    issuer: https://accounts.example.com
                    subject: signer@example.com
                    rekor:
                      url: https://rekor.sigstore.dev
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-marketplace
    - name: red-hat-images-must-be-signed-by-a-red-hat-release
      match: *a1
      validate:
        message: 'Policy "Red Hat images must be signed by a Red Hat release key" violated: Alert when Red Hat images are not digitally signed by Red Hat'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].image }}"
                operator: AnyIn
                value:
                  - registry.access.redhat.com/*
                  - registry.redhat.io/*
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-marketplace
    - name: red-hat-images-must-be-signed-by-a-red-hat-release-2
      match: *a1
      validate:
        message: 'Policy "Red Hat images must be signed by a Red Hat release key" violated: Alert when Red Hat images are not digitally signed by Red Hat'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].image }}"
                operator: AnyIn
                value:
                  - quay.io/*
              - key: "{{ request.object.spec.containers[].image }}"
                operator: AnyIn
                value:
                  - "*openshift-release-dev/ocp-release*"
                  - "*openshift-release-dev/ocp-v4.0-art-dev*"
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-marketplace
IR (canonical)
{
  "id": "c6fd7cb3-de34-4918-be4c-370006330357",
  "name": "Red Hat images must be signed by a Red Hat release key",
  "description": "Alert when Red Hat images are not digitally signed by Red Hat",
  "rationale": "Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.",
  "remediation": "Confirm the authenticity of the image by reaching out to Red Hat support.",
  "severity": "high",
  "categories": [
    "Supply Chain Security"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Do not alert on the openshift-marketplace namespace because catalog images are not yet signed",
      "namespace": "openshift-marketplace"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "or",
    "children": [
      {
        "op": "and",
        "children": [
          {
            "op": "criterion",
            "field": "image-registry",
            "values": [
              "registry.access.redhat.com",
              "registry.redhat.io"
            ],
            "valuesOp": "or",
            "negate": false
          },
          {
            "op": "criterion",
            "field": "image-signature-verified-by",
            "values": [
              "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
            ],
            "valuesOp": "or",
            "negate": false
          }
        ]
      },
      {
        "op": "and",
        "children": [
          {
            "op": "criterion",
            "field": "image-registry",
            "values": [
              "quay.io"
            ],
            "valuesOp": "or",
            "negate": false
          },
          {
            "op": "criterion",
            "field": "image-remote",
            "values": [
              "openshift-release-dev/ocp-release",
              "openshift-release-dev/ocp-v4.0-art-dev"
            ],
            "valuesOp": "or",
            "negate": false
          },
          {
            "op": "criterion",
            "field": "image-signature-verified-by",
            "values": [
              "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
            ],
            "valuesOp": "or",
            "negate": false
          }
        ]
      }
    ]
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "c6fd7cb3-de34-4918-be4c-370006330357",
  "name": "Red Hat images must be signed by a Red Hat release key",
  "description": "Alert when Red Hat images are not digitally signed by Red Hat",
  "rationale": "Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.",
  "remediation": "Confirm the authenticity of the image by reaching out to Red Hat support.",
  "disabled": true,
  "categories": [
    "Supply Chain Security"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Do not alert on the openshift-marketplace namespace because catalog images are not yet signed",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-marketplace",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "All images in certain Red Hat registries must be signed by Red Hat",
      "policyGroups": [
        {
          "fieldName": "Image Registry",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "registry.access.redhat.com"
            },
            {
              "value": "registry.redhat.io"
            }
          ]
        },
        {
          "fieldName": "Image Signature Verified By",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
            }
          ]
        }
      ]
    },
    {
      "sectionName": "All images in selected Red Hat owned quay.io remotes must be signed by Red Hat",
      "policyGroups": [
        {
          "fieldName": "Image Registry",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "quay.io"
            }
          ]
        },
        {
          "fieldName": "Image Remote",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "openshift-release-dev/ocp-release"
            },
            {
              "value": "openshift-release-dev/ocp-v4.0-art-dev"
            }
          ]
        },
        {
          "fieldName": "Image Signature Verified By",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [
    {
      "tactic": "TA0001",
      "techniques": [
        "T1195.002"
      ]
    }
  ],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}