From 1ba849a81fdbabffc2f561bbdd5ebcf29e5dc512 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Mon, 28 Oct 2024 04:48:36 +0530 Subject: [PATCH] feat(docs): regexp support in cosign keyless verification (#1327) * feat(docs): regexp support in cosign keyless verification Signed-off-by: Vishal Choudhary * fix: grammatical errors Signed-off-by: Vishal Choudhary --------- Signed-off-by: Vishal Choudhary --- .../verify-images/sigstore/_index.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md index 01dfc66d3..4703703b8 100644 --- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md +++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md @@ -506,6 +506,35 @@ spec: url: https://rekor.sigstore.dev ``` +The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) with regular expressions for subject and issuer: + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image-keyless +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: check-image-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:signed-keyless" + attestors: + - entries: + - keyless: + subjectRegExp: https://github\.com/.+ + issuerRegExp: https://token\.actions\.githubusercontent.+ + rekor: + url: https://rekor.sigstore.dev +``` + ### Keyless signing To sign images using the keyless flow, use the following cosign command: @@ -539,6 +568,7 @@ attestors: url: https://rekor.sigstore.dev ``` + ## Using a Key Management Service (KMS) Kyverno and Cosign support using Key Management Services (KMS) such as AWS, GCP, Azure, and HashiCorp Vault. This integration allows referencing public and private keys using a URI syntax, instead of embedding the key directly in the policy.