The policy-controller project contains an admission controller for Kubernetes, which can be installed on your Kubernetes cluster in a form of a helm chart. If you run a private instance of Sigstore components, you can specify your own TUF root by mounting your TUF root.json file into the container (for example by mounting a Secret) and then pointing to it with –tuf-root argument as well as using –tuf-mirror argument to point to where the TUF mirror is.| Sigstore
Sample policies for use with policy-controller live in the examples directory of the project. Images have a signed SPDX SBOM attestation from a custom key # This sample policy asserts that all images must have a signed SPDX SBOM (spdxjson) attestation using a custom key. apiVersion: policy.sigstore.dev/v1alpha1 kind: ClusterImagePolicy metadata: name: custom-key-attestation-sbom-spdxjson spec: images: - glob: "**" authorities: - name: custom-key key: data: | -----BEGIN PUBLIC KEY----- MFkwEwY...| Sigstore
Admission Controller # The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign. policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted. See the installation instructions for more information. This component is still actively under development! Today, policy-controller can automatically validate signatures and attestations on container ...| Sigstore