Write a ClusterPolicy with a verifyImages rule; specify the image glob pattern (e.g., ghcr.io/my-org/*) under the image field.
In the attestors block, use a keyless entry referencing the OIDC issuer URL of your CI provider (e.g., the GitHub Actions OIDC issuer) and the expected certificate subject (e.g., the workflow URL pattern) so only images signed by that workflow are accepted.
Set mutateDigest to true so Kyverno rewrites the image tag to a digest reference after verification, preventing tag mutation attacks.
Apply the policy in Audit mode first, then switch to Enforce after confirming that your CI pipelines are consistently signing images and the certificate subject patterns match.
Test with a locally built and unsigned image to confirm denial, and with a correctly signed image from the expected workflow to confirm admission.
Known gotchas
The certificate subject in keyless verification must exactly match the OIDC claim embedded in the Fulcio certificate; mismatches between the issuer URL and the signing workflow URL cause all verifications to fail.
Kyverno contacts the Rekor transparency log and Fulcio CA during admission; network policies and firewall rules must allow egress from Kyverno pods to the Sigstore public infrastructure (or your private instance).
cosign keyless signing is sensitive to clock skew; images signed with a token that has expired or has a timestamp far from the Rekor entry time may fail verification — ensure CI runner clocks are accurate.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp