Advanced Track Do this after finishing Chapters 01-14.

Estimated Time

  • Reading: 30-40 min
  • Lab: 60-90 min
  • Quiz: 15-20 min

Prerequisites

  • Core track (Chapters 01-14) completed.
  • GitOps promotion and observability workflows available.

Source Code References

  • verify-attestations.example.yaml Members
  • verify-images.example.yaml Members

Sign in to view source code.

What You Will Produce

A go/no-go evidence package: rollout results, remediation notes, and explicit rollback conditions.

Guardrails That Stop It

  • Verified Identity: Promotion is based on artifact digest, not ad-hoc rebuilds.
  • SBOM Evidence: A verifiable SBOM is generated for every production release.
  • Pre-Admission Check: Signatures and attestations are verified at the cluster boundary.
  • Audit-to-Enforce: Verification policies are rolled out in phases (Audit -> Enforce).

Prerequisites

To implement this workflow, you need:

  • Kyverno: The policy engine installed and reconciled via Flux.
  • Cosign: For signing and verifying container images.
  • Attestation Templates: Pre-defined policies for provenance and SBOM checks.

Image verification policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-signed-images-example
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: verify-ghcr-signatures
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "${image_registry}/*"
          mutateDigest: true
          attestors:
            - entries:
                - keyless:
                    # Replace with your CI issuer and subject constraints.
                    issuer: "https://token.actions.githubusercontent.com"
                    subject: "https://github.com/${git_owner}/*"

Safe Workflow (Step-by-Step)

  1. Pick Artifact: Select the immutable artifact reference (digest) from Staging.
  2. Generate SBOM: Create the SBOM and sign/attest it within the CI pipeline.
  3. Local Verify: Test the signature and attestation locally using cosign verify.
  4. Apply Audit Policy: Deploy the Kyverno policy in Audit mode in the develop namespace.
  5. Observe Reports: Monitor cluster events for “Audit” violations.
  6. Enforce Policy: Transition the policy to Enforce mode once the audit is stable.

Binary Outcome Drill

Target behavior in Enforce mode:

  • Denied: Unsigned or untrusted artifacts are blocked at admission.
  • Admitted: Signed and attested artifacts matching the policy are allowed to run.

Attestation verification policy

Show the attestation verification policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-sbom-attestation-example
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: verify-spdx-attestation
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "${image_registry}/*"
          attestations:
            - type: "https://spdx.dev/Document"
              attestors:
                - entries:
                    - keyless:
                        issuer: "https://token.actions.githubusercontent.com"
                        subject: "https://github.com/${git_owner}/*"

This builds on: Core track complete — supply chain adds pre-deployment trust verification. This enables: Admission policies (Chapter 16) — verified images feed policy enforcement.