Verified steps

Define a Kyverno ClusterPolicy with a verifyImages rule specifying the expected image reference pattern and attestor configuration
Configure the attestor block with the appropriate keyless or key-based trust anchor (Fulcio/Rekor for keyless, or a static public key)
Set the mutateDigest option to ensure admitted images are pinned to a verified digest in the pod spec
Deploy the policy in audit mode and review violations before switching to enforce
Test by attempting to deploy an unsigned or differently-signed image and confirm it is blocked
Set up alerting on admission denials to catch attempted policy bypasses

Known gotchas

Image signature verification adds latency to pod admission; if the signature registry or transparency log is unreachable, admission may fail or fall back depending on policy settings
The mutateDigest option changes the running pod spec from a tag to a digest reference, which can surprise operators who inspect running pods and see an unexpected image reference
Wildcard image patterns must be carefully scoped to avoid accidentally requiring signatures for internal base images that are not signed

kyverno.io · 5 steps · unrated

Author an OPA Gatekeeper ConstraintTemplate and Constraint to enforce image signature requirements in Kubernetes

open-policy-agent.github.io/gatekeeper · 6 steps · unrated

Capture proof-of-delivery photo and signature via the Onfleet task completion API

docs.onfleet.com · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure admission-controller image-signature verification using Kyverno or an equivalent controller

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes