Red Hat images must be signed by a Red Hat release key
No violationsstackroxhighbuilddeployAlert when Red Hat images are not digitally signed by Red Hat
- Rationale
- Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.
- Remediation
- Confirm the authenticity of the image by reaching out to Red Hat support.
CategoriesSupply Chain Security
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.5.1
- DORA EU 2022/2554
- Art. 28.1
- ISO/IEC 27001 2022
- A.8.25
- NIST SP 800-53 rev. 5
- SR-11SR-4
- PCI DSS 4.0
- 6.4.3
- SOC 2 2017 TSC
- CC6.8
Generated artifacts
3 of 5 targets supportedred-hat-images-must-be-signed-by-a-red-hat-release-key.yaml
# TODO: configure cosign in opserapol.config.yaml (cosign.method: key|keyless) — this rule ships with PLACEHOLDER attestor values and will block every image until configured.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: red-hat-images-must-be-signed-by-a-red-hat-release-key
annotations:
policies.kyverno.io/title: Red Hat images must be signed by a Red Hat release key
policies.kyverno.io/category: Supply Chain Security
policies.kyverno.io/severity: high
policies.kyverno.io/description: Alert when Red Hat images are not digitally signed by Red Hat
policies.kyverno.io/remediation: Confirm the authenticity of the image by reaching out to Red Hat support.
policies.kyverno.io/rationale: Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.
policies.io/source: stackrox
policies.io/source-id: c6fd7cb3-de34-4918-be4c-370006330357
spec:
validationFailureAction: Enforce
background: true
rules:
- name: red-hat-images-must-be-signed-by-a-red-hat-re-verify-signature
match: &a1
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
verifyDigest: true
required: true
attestors:
- entries:
- keyless:
issuer: https://accounts.example.com
subject: signer@example.com
rekor:
url: https://rekor.sigstore.dev
exclude:
any:
- resources:
namespaces:
- openshift-marketplace
- name: red-hat-images-must-be-signed-by-a-red-hat-release
match: *a1
validate:
message: 'Policy "Red Hat images must be signed by a Red Hat release key" violated: Alert when Red Hat images are not digitally signed by Red Hat'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value:
- registry.access.redhat.com/*
- registry.redhat.io/*
exclude:
any:
- resources:
namespaces:
- openshift-marketplace
- name: red-hat-images-must-be-signed-by-a-red-hat-release-2
match: *a1
validate:
message: 'Policy "Red Hat images must be signed by a Red Hat release key" violated: Alert when Red Hat images are not digitally signed by Red Hat'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value:
- quay.io/*
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value:
- "*openshift-release-dev/ocp-release*"
- "*openshift-release-dev/ocp-v4.0-art-dev*"
exclude:
any:
- resources:
namespaces:
- openshift-marketplace
IR (canonical)
{
"id": "c6fd7cb3-de34-4918-be4c-370006330357",
"name": "Red Hat images must be signed by a Red Hat release key",
"description": "Alert when Red Hat images are not digitally signed by Red Hat",
"rationale": "Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.",
"remediation": "Confirm the authenticity of the image by reaching out to Red Hat support.",
"severity": "high",
"categories": [
"Supply Chain Security"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Do not alert on the openshift-marketplace namespace because catalog images are not yet signed",
"namespace": "openshift-marketplace"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "or",
"children": [
{
"op": "and",
"children": [
{
"op": "criterion",
"field": "image-registry",
"values": [
"registry.access.redhat.com",
"registry.redhat.io"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "image-signature-verified-by",
"values": [
"io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
],
"valuesOp": "or",
"negate": false
}
]
},
{
"op": "and",
"children": [
{
"op": "criterion",
"field": "image-registry",
"values": [
"quay.io"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "image-remote",
"values": [
"openshift-release-dev/ocp-release",
"openshift-release-dev/ocp-v4.0-art-dev"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "image-signature-verified-by",
"values": [
"io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
],
"valuesOp": "or",
"negate": false
}
]
}
]
},
"disabled": true
}Original StackRox JSON
{
"id": "c6fd7cb3-de34-4918-be4c-370006330357",
"name": "Red Hat images must be signed by a Red Hat release key",
"description": "Alert when Red Hat images are not digitally signed by Red Hat",
"rationale": "Red Hat images should be signed using Red Hat's Cosign product signing keys (https://access.redhat.com/security/team/key). Older OpenShift images that predate the introduction of Cosign signatures may not be signed.",
"remediation": "Confirm the authenticity of the image by reaching out to Red Hat support.",
"disabled": true,
"categories": [
"Supply Chain Security"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Do not alert on the openshift-marketplace namespace because catalog images are not yet signed",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-marketplace",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "All images in certain Red Hat registries must be signed by Red Hat",
"policyGroups": [
{
"fieldName": "Image Registry",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "registry.access.redhat.com"
},
{
"value": "registry.redhat.io"
}
]
},
{
"fieldName": "Image Signature Verified By",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
}
]
}
]
},
{
"sectionName": "All images in selected Red Hat owned quay.io remotes must be signed by Red Hat",
"policyGroups": [
{
"fieldName": "Image Registry",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "quay.io"
}
]
},
{
"fieldName": "Image Remote",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "openshift-release-dev/ocp-release"
},
{
"value": "openshift-release-dev/ocp-v4.0-art-dev"
}
]
},
{
"fieldName": "Image Signature Verified By",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "io.stackrox.signatureintegration.12a37a37-760e-4388-9e79-d62726c075b2"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [
{
"tactic": "TA0001",
"techniques": [
"T1195.002"
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}