Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions policies/kyverno/supply-chain/base/verify-images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ metadata:
image — hand-pushed or tampered — fails verification. Images outside
ghcr.io/nanohype/* are not matched and pass unaffected.
spec:
# Audit during the signature rollout: report every unsigned nanohype image
# in PolicyReports without blocking admission. Overlays flip this to Enforce
# per environment once reports are clean (see overlays/).
# Base is Audit: dev keeps it (violations land in PolicyReports without
# blocking iteration); the staging and production overlays patch this to
# Enforce so unsigned images are rejected at admission (see overlays/).
validationFailureAction: Audit
# Image verification calls the registry + Rekor; the 10s default is tight.
webhookTimeoutSeconds: 30
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,14 @@ kind: Kustomization
resources:
- ../../base

# Production: Audit during the signature rollout. Flip value to Enforce once
# staging has run a clean audit week and every ghcr.io/nanohype/* image
# verifies — at which point an unsigned or tampered image is blocked at admission.
# Production: an unsigned or tampered ghcr.io/nanohype/* image is blocked at
# admission. Every factory image is keyless-signed by its release workflow,
# so a verification failure means hand-pushed or altered — exactly what must
# not run here.
patches:
- patch: |-
- op: replace
path: /spec/validationFailureAction
value: Audit
value: Enforce
target:
kind: ClusterPolicy
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ kind: Kustomization
resources:
- ../../base

# Staging: Audit during the signature rollout. Flip value to Enforce once the
# PolicyReports here show every ghcr.io/nanohype/* image verifying clean.
# Staging: enforce, same as production, so an unsigned image surfaces as an
# admission failure in staging before it ever reaches a production rollout.
patches:
- patch: |-
- op: replace
path: /spec/validationFailureAction
value: Audit
value: Enforce
target:
kind: ClusterPolicy