feat(docs): regexp support in cosign keyless verification (#1327)

* feat(docs): regexp support in cosign keyless verification Signed-off-by: Vishal Choudhary <[email protected]> * fix: grammatical errors Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]>
kyverno · Oct 27, 2024 · 1ba849a · 1ba849a
1 parent b692d4e
commit 1ba849a
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -506,6 +506,35 @@ spec:
                 url: https://rekor.sigstore.dev
 ```
 
+The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) with regular expressions for subject and issuer:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-keyless
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-image-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/kyverno/test-verify-image:signed-keyless"
+        attestors:
+        - entries:
+          - keyless:
+              subjectRegExp: https://github\.com/.+
+              issuerRegExp: https://token\.actions\.githubusercontent.+
+              rekor:
+                url: https://rekor.sigstore.dev
+```
+
 ### Keyless signing
 
 To sign images using the keyless flow, use the following cosign command:
@@ -539,6 +568,7 @@ attestors:
         url: https://rekor.sigstore.dev
 ```
 
+
 ## Using a Key Management Service (KMS)
 
 Kyverno and Cosign support using Key Management Services (KMS) such as AWS, GCP, Azure, and HashiCorp Vault. This integration allows referencing public and private keys using a URI syntax, instead of embedding the key directly in the policy.