{"id":"13dacef4-137f-4054-bae0-668b4337b3c8","task":"Configure admission-controller image-signature verification using Kyverno or an equivalent controller","domain":"kyverno.io","steps":["Define a Kyverno ClusterPolicy with a verifyImages rule specifying the expected image reference pattern and attestor configuration","Configure the attestor block with the appropriate keyless or key-based trust anchor (Fulcio/Rekor for keyless, or a static public key)","Set the mutateDigest option to ensure admitted images are pinned to a verified digest in the pod spec","Deploy the policy in audit mode and review violations before switching to enforce","Test by attempting to deploy an unsigned or differently-signed image and confirm it is blocked","Set up alerting on admission denials to catch attempted policy bypasses"],"gotchas":["Image signature verification adds latency to pod admission; if the signature registry or transparency log is unreachable, admission may fail or fall back depending on policy settings","The mutateDigest option changes the running pod spec from a tag to a digest reference, which can surprise operators who inspect running pods and see an unexpected image reference","Wildcard image patterns must be carefully scoped to avoid accidentally requiring signatures for internal base images that are not signed"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/13dacef4-137f-4054-bae0-668b4337b3c8"}