{"id":"9a8f9721-8c9c-4b3a-a2e6-117c685ac494","task":"Configure Kyverno verifyImages to enforce cosign keyless signature policy on Kubernetes pods","domain":"kyverno.io","steps":["Install Kyverno via the official Helm chart: `helm install kyverno kyverno/kyverno -n kyverno --create-namespace`","Create a `ClusterPolicy` with `spec.rules[].verifyImages` containing an `image` glob pattern, `attestors` block with `count: 1`, and a `keyless` entry specifying `url: https://fulcio.sigstore.dev` and an `identities` list with `issuer` and `subject` fields","Set the rule action to `Enforce` to block unsigned images at admission time (use `Audit` first to assess impact)","Deploy a signed test image and confirm it is admitted; deploy an unsigned image and confirm it is blocked with a Kyverno policy violation event","Review Kyverno admission controller logs and configure alerts for `PolicyViolation` events in your monitoring stack"],"gotchas":["Kyverno's `verifyImages` requires network egress to Fulcio and Rekor during admission; if the cluster cannot reach these endpoints, all image admissions in enforced namespaces will fail","Mutating and validating webhooks from Kyverno have a `failurePolicy` setting; `Fail` is safer from a security standpoint but causes outages if Kyverno is unavailable — plan for HA deployment","The `identities` block must include both `issuer` and `subject` (or their regexp variants); a policy with only `issuer` will accept signatures from any workflow in that OIDC provider's namespace, which is overly broad"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/9a8f9721-8c9c-4b3a-a2e6-117c685ac494"}