feat(policies): verify-images Kyverno policy for factory-built images#12
Merged
Conversation
Mirrors the eks-gitops supply-chain policy onto AKS. The factory's tenants and
operator publish to ghcr.io/nanohype/* and are signed by their release
workflows (keyless OIDC) regardless of which cluster they land on, so the
registry-scoped signature check applies identically on AKS clusters.
─────────────────────────── What changed ───────────────────────────
policies/kyverno/supply-chain/ (new) — a `verify-images` ClusterPolicy with
base + dev/staging/production overlays:
- Scopes to imageReferences `ghcr.io/nanohype/*`; foreign images pass untouched.
- Keyless Cosign attestor matching the release-workflow identity (issuer
GitHub Actions OIDC, subject `github.com/nanohype/<repo>/.github/workflows/
release.ya?ml@refs/tags/*`), verified against public Rekor.
- required: true, mutateDigest/verifyDigest: false; webhookTimeoutSeconds: 30.
- Excludes kube-system/kube-public/kube-node-lease/kyverno.
applicationsets/kyverno-policies.yaml — adds the `kyverno-supply-chain` entry
at sync-wave 22, same matrix generator and per-environment overlay path as the
existing policy groups.
─────────────────────────── Rollout ───────────────────────────
Ships in Audit across all three environments — unsigned ghcr.io/nanohype/*
images are reported, not blocked. The overlays make the flip to Enforce a
one-line value change per environment, staging first after a clean audit week.
Validated with `task validate` (yamllint + kustomize build, all environments).
CI Results
All validations passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Sibling of nanohype/eks-gitops#47. The factory signs every image it ships (keyless Cosign in the operator + tenant release workflows), but no cluster verified those signatures — a hand-pushed or tampered image was admitted like a signed one. Tenants publish to
ghcr.io/nanohype/*regardless of cluster, so the same registry-scoped check belongs on AKS.What
New
policies/kyverno/supply-chain/group (pure Kustomize, like best-practices / pod-security-standards):verify-imagesClusterPolicy scoped toghcr.io/nanohype/*(foreign images pass untouched).github.com/nanohype/<repo>/.github/workflows/release.ya?ml@refs/tags/*), public Rekor.required: true,mutateDigest/verifyDigest: false,webhookTimeoutSeconds: 30.kyverno-supply-chainat sync-wave 22.Rollout
Audit across all three envs (report, don't block). Flip to Enforce is a one-line
Audit→Enforcechange per overlay — staging first after a clean audit week, then production.Verification
task validate(yamllint +kustomize buildall environments) — green.