RESEARCH SPIKE: Cosign Image Validation

Kyverno has ClusterPolicy resources to be able to add Verification Policy to verify things like images from Registry1 are actually from registry1 thanks to intermediaries like Cosign. Since IronBank is now using Cosign signatures in registry1 test using a Kyverno policy to perform verification of these signatures on all images coming from registry1

• https://kyverno.io/docs/writing-policies/verify-images/

The public key for the registry1 signatures can be obtained from the following certificate using a single openssl command: openssl x509 -pubkey -noout -in cosign-certificate.pem

• https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/blob/master/scripts/cosign/cosign-certificate.pem

In this issue notate any special configs required, any issues encountered and workarounds found. Also find out if/where image violations are logged (could be within kyverno-reporter).