Back to catalog

Require Signed Images

No violationscustomhighdeploy

All container images must carry a valid cosign signature.

Rationale
Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.
Remediation
Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under "cosign".
CategoriesSupply Chain Security

Defined in /app/policies/require-signed-images.yaml

Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.5.1
DORA EU 2022/2554
Art. 28.1
ISO/IEC 27001 2022
A.8.25
NIST SP 800-53 rev. 5
SR-11SR-4
PCI DSS 4.0
6.4.3
SOC 2 2017 TSC
CC6.8

Generated artifacts

3 of 5 targets supported
require-signed-images.yaml
# TODO: configure cosign in opserapol.config.yaml (cosign.method: key|keyless) — this rule ships with PLACEHOLDER attestor values and will block every image until configured.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-signed-images
  annotations:
    policies.kyverno.io/title: Require Signed Images
    policies.kyverno.io/category: Supply Chain Security
    policies.kyverno.io/severity: high
    policies.kyverno.io/description: All container images must carry a valid cosign signature.
    policies.kyverno.io/remediation: Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under "cosign".
    policies.kyverno.io/rationale: Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.
    policies.io/source: custom
    policies.io/source-id: custom-require-signed-images
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: require-signed-images-verify-signature
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "*"
          verifyDigest: true
          required: true
          attestors:
            - entries:
                - keyless:
                    issuer: https://accounts.example.com
                    subject: signer@example.com
                    rekor:
                      url: https://rekor.sigstore.dev
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
IR (canonical)
{
  "id": "custom-require-signed-images",
  "name": "Require Signed Images",
  "description": "All container images must carry a valid cosign signature.",
  "rationale": "Unsigned images cannot be traced to a trusted builder and may have been tampered with in transit.",
  "remediation": "Sign images with cosign in CI before pushing (cosign sign <image>), and configure the verifier in opserapol.config.yaml under \"cosign\".",
  "severity": "high",
  "categories": [
    "Supply Chain Security"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "namespace": "kube-system"
    }
  ],
  "enforcement": {
    "admissionAction": "enforce"
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "image-signature-verified-by",
        "values": [
          "cosign"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": false,
  "compliance": [
    {
      "framework": "pci-dss-4",
      "controls": [
        "6.4.3"
      ]
    },
    {
      "framework": "cis-k8s",
      "controls": [
        "5.5.1"
      ]
    },
    {
      "framework": "nist-800-53",
      "controls": [
        "SR-4",
        "SR-11"
      ]
    }
  ]
}