https://deploy-preview-431--docssigstore.netlify.app/policy-controller/Recent content in Policy Controller onHugo -- gohugo.ioTue, 06 Oct 2020 08:49:15 +0000https://deploy-preview-431--docssigstore.netlify.app/policy-controller/overview/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-431--docssigstore.netlify.app/policy-controller/overview/Admission Controller # The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign. policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted. See the installation instructions for more information. This component is still actively under development! Today, policy-controller can automatically validate signatures and attestations on container images as well as apply policies (using cue or rego ) against attestations.https://deploy-preview-431--docssigstore.netlify.app/policy-controller/installation/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-431--docssigstore.netlify.app/policy-controller/installation/The policy-controller is a Kubernetes admission controller that enforces image signing policies at deploy time. Install it on your cluster via a Helm chart. Prerequisites # Kubernetes cluster — policy-controller > 0.10.x supports Kubernetes 1.27, 1.28, and 1.29; starting with v0.12.0, supported versions are Kubernetes 1.29, 1.30, 1.31, and 1.32. See the policy-controller support matrix. Helm 3.x kubectl configured to access your cluster Install with Helm # Add the Sigstore Helm repository and install the chart into the cosign-system namespace:https://deploy-preview-431--docssigstore.netlify.app/policy-controller/sample-policies/Mon, 01 Jan 0001 00:00:00 +0000https://deploy-preview-431--docssigstore.netlify.app/policy-controller/sample-policies/Sample policies for use with policy-controller live in the examples directory of the project. Images have a signed SPDX SBOM attestation from a custom key # This sample policy asserts that all images must have a signed SPDX SBOM (spdxjson) attestation using a custom key. apiVersion: policy.sigstore.dev/v1alpha1 kind: ClusterImagePolicy metadata: name: custom-key-attestation-sbom-spdxjson spec: images: - glob: "**" authorities: - name: custom-key key: data: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg 4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw== -----END PUBLIC KEY----- attestations: - name: must-have-spdxjson predicateType: https://spdx.