Require Signed Images
No violationscustomhighdeployAll container images must carry a valid cosign signature.
- Rationale
- Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.
- Remediation
- Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under "cosign".
CategoriesSupply Chain Security
Defined in /app/policies/require-signed-images.yaml
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.5.1
- DORA EU 2022/2554
- Art. 28.1
- ISO/IEC 27001 2022
- A.8.25
- NIST SP 800-53 rev. 5
- SR-11SR-4
- PCI DSS 4.0
- 6.4.3
- SOC 2 2017 TSC
- CC6.8
Generated artifacts
3 of 5 targets supportedrequire-signed-images.yaml
# TODO: configure cosign in opserapol.config.yaml (cosign.method: key|keyless) — this rule ships with PLACEHOLDER attestor values and will block every image until configured.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-signed-images
annotations:
policies.kyverno.io/title: Require Signed Images
policies.kyverno.io/category: Supply Chain Security
policies.kyverno.io/severity: high
policies.kyverno.io/description: All container images must carry a valid cosign signature.
policies.kyverno.io/remediation: Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under "cosign".
policies.kyverno.io/rationale: Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.
policies.io/source: custom
policies.io/source-id: custom-require-signed-images
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-signed-images-verify-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
verifyDigest: true
required: true
attestors:
- entries:
- keyless:
issuer: https://accounts.example.com
subject: signer@example.com
rekor:
url: https://rekor.sigstore.dev
exclude:
any:
- resources:
namespaces:
- kube-system
IR (canonical)
{
"id": "custom-require-signed-images",
"name": "Require Signed Images",
"description": "All container images must carry a valid cosign signature.",
"rationale": "Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.",
"remediation": "Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under \"cosign\".",
"severity": "high",
"categories": [
"Supply Chain Security"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"namespace": "kube-system"
}
],
"enforcement": {
"admissionAction": "enforce"
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "image-signature-verified-by",
"values": [
"cosign"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": false,
"compliance": [
{
"framework": "pci-dss-4",
"controls": [
"6.4.3"
]
},
{
"framework": "cis-k8s",
"controls": [
"5.5.1"
]
},
{
"framework": "nist-800-53",
"controls": [
"SR-4",
"SR-11"
]
}
]
}