Skip to content

Enforce image signature verification in staging and production#87

Merged
stxkxs merged 1 commit into
mainfrom
enforce-image-verification
Jul 2, 2026
Merged

Enforce image signature verification in staging and production#87
stxkxs merged 1 commit into
mainfrom
enforce-image-verification

Conversation

@stxkxs

@stxkxs stxkxs commented Jul 2, 2026

Copy link
Copy Markdown
Member

Why

verify-images validated Cosign keyless signatures on every ghcr.io/nanohype/* image, but all three environment overlays kept validationFailureAction: Audit — unsigned or tampered images were reported and then admitted anyway. Meanwhile the README's environment table and the troubleshooting runbook already document staging/production as Enforce; the supply-chain policy set was the one Audit holdout.

What

  • staging + production overlays patch validationFailureAction to Enforce — unsigned/foreign-signed/tampered ghcr.io/nanohype/* images are rejected at admission
  • dev stays Audit (PolicyReports, non-blocking iteration)
  • base + overlay comments describe the enforcement split as designed

Validation

task validate green; kustomize render shows production/staging = Enforce, dev = Audit. Rollback: revert the overlay patch value — reports keep flowing either way.

The verify-images ClusterPolicy checked every ghcr.io/nanohype/* image
for a keyless Cosign signature from the org release workflows, but all
three environment overlays left validationFailureAction at Audit — so
an unsigned or tampered image was reported in PolicyReports and then
admitted anyway. The signatures exist (every release workflow signs and
attests an SBOM); the admission gate was the missing half.

Staging and production overlays now patch the policy to Enforce: an
image that is unsigned, foreign-signed, or altered after signing is
rejected at admission. Staging enforces for the same reason it mirrors
production elsewhere — an unsigned image should fail there first, not
surface for the first time during a production rollout. Dev stays
Audit so local/dev iteration isn't blocked while images churn; base
comments now describe that split directly.

This also brings the policy in line with what the repo already
documented: the README's environment table and the troubleshooting
runbook both state staging/production run Kyverno in Enforce.
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

CI Results

Check Status
YAML Lint ✅ success
Render + assert + schema + misconfig (all environments) ✅ success

All checks passed.

@stxkxs stxkxs merged commit 0c6e556 into main Jul 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant