{"id":"05608c59-844e-41d6-84f6-26516a93625a","task":"Configure Kyverno verifyImages with cosign keyless signing using Fulcio and Rekor to enforce that only verified images are admitted","domain":"security/compliance","steps":["Write a ClusterPolicy with a verifyImages rule; specify the image glob pattern (e.g., ghcr.io/my-org/*) under the image field.","In the attestors block, use a keyless entry referencing the OIDC issuer URL of your CI provider (e.g., the GitHub Actions OIDC issuer) and the expected certificate subject (e.g., the workflow URL pattern) so only images signed by that workflow are accepted.","Set mutateDigest to true so Kyverno rewrites the image tag to a digest reference after verification, preventing tag mutation attacks.","Apply the policy in Audit mode first, then switch to Enforce after confirming that your CI pipelines are consistently signing images and the certificate subject patterns match.","Test with a locally built and unsigned image to confirm denial, and with a correctly signed image from the expected workflow to confirm admission."],"gotchas":["The certificate subject in keyless verification must exactly match the OIDC claim embedded in the Fulcio certificate; mismatches between the issuer URL and the signing workflow URL cause all verifications to fail.","Kyverno contacts the Rekor transparency log and Fulcio CA during admission; network policies and firewall rules must allow egress from Kyverno pods to the Sigstore public infrastructure (or your private instance).","cosign keyless signing is sensitive to clock skew; images signed with a token that has expired or has a timestamp far from the Rekor entry time may fail verification — ensure CI runner clocks are accurate."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/05608c59-844e-41d6-84f6-26516a93625a"}