- Authors
- Name
- Youngju Kim
- @fjvbn20031
1. verifyImagesルール概要
KyvernoのverifyImagesルールはコンテナイメージの署名とattestation(証明)を検証してサプライチェーンセキュリティを強化します。
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: Enforce
rules:
- name: verify-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- 'ghcr.io/myorg/*'
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
2. Cosign署名検証
2.1 Keyless署名(Fulcio)
verifyImages:
- imageReferences:
- 'ghcr.io/myorg/*'
attestors:
- entries:
- keyless:
url: https://fulcio.sigstore.dev
rekor:
url: https://rekor.sigstore.dev
subject: 'https://github.com/myorg/*'
issuer: 'https://token.actions.githubusercontent.com'
2.2 KMS鍵
verifyImages:
- attestors:
- entries:
- keys:
kms: awskms:///arn:aws:kms:us-east-1:123456789:key/abc-123
3. Attestation検証
3.1 SLSA Provenance
verifyImages:
- attestations:
- type: https://slsa.dev/provenance/v1
attestors:
- entries:
- keyless:
url: https://fulcio.sigstore.dev
conditions:
- all:
- key: '{{ buildDefinition.buildType }}'
operator: Equals
value: 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
4. SBOM検証
verifyImages:
- attestations:
- type: https://cyclonedx.org/bom/v1.4
conditions:
- all:
- key: "{{ components[?name=='log4j-core'].version | [0] }}"
operator: NotEquals
value: '2.14.1'
5. イメージ変形
verifyImages:
- imageReferences:
- 'ghcr.io/myorg/*'
mutateDigest: true # タグをダイジェストに自動変換
required: true
verifyDigest: true
6. まとめ
- cosign検証: 静的鍵、Keyless(Fulcio)、KMSサポート
- Attestation検証: in-toto、SLSA provenance条件ベースの検証
- SBOM検証: CycloneDX/SPDX attestation内の脆弱コンポーネント確認
- ダイジェスト変換: mutateDigestでイメージの不変性を保証
- 総合ポリシー: レジストリ制限 + タグポリシー + 署名検証の組み合わせ