Logs messages and reasons

Log messages follow a JSON format. Each log can contain the following keys:

Key Description
level Log level
ts Timestamp
logger Name of the logger component which provided the log message
msg Log message
object Relevant object that triggered the log message
error A message for the error.
Only present with “error” log level
stacktrace A stacktrace for where the error occured.
Only present with error level

The possible log messages the webhook emits and their explanations are summarized in the following table:


Log Message Explanation
clusterimagepolicies.signing.apps.tanzu.vmware.com “image-policy” not found. Image policy enforcement was not applied. The Image Policy was not created in the cluster and the webhook did not check any container images for signatures.
<Namespace> is excluded. The ImagePolicy will not be applied.

  • An image policy is present in the cluster.
  • The namespace is present in the verification.exclude.resources.namespaces property of the policy.
  • Any container images trying to get created in this namespace will not be checked for signatures.


Could not verify against any image policies for container image: <ContainerImage>.

  • An image policy is present in the cluster.
  • The AllowUnMatchedImages flag is set to false or is absent.
  • The namespace is not excluded.
  • Image of the container being installed does not match any pattern present in the policy and was rejected by the webhook.


<ContainerImage> did not match any image policies. Container will be created as AllowUnmatchedImages flag is true.

  • An image policy is present in the cluster.
  • The AllowUnMatchedImages flag is set to true.
  • The namespace you are installing your resource in is not excluded.
  • Image of the container being installed does not match any pattern present in the policy and was allowed to be created.


failed to find signature for image.

  • An image policy is present in the cluster.
  • The namespace you are installing your resource in is not excluded.
  • Image of the container being installed matches a pattern in the policy.
  • The webhook was not able to verify the signature.


The image: <ContainerImage> is not signed.

  • An image policy is present in the cluster.
  • The namespace you are installing your resource in is not excluded.
  • Image of the container being installed matches a pattern in the policy.
  • The image is not signed.


failed to decode resource

  • The resource type is not supported.
  • Currently supported v1 versions of:

    • Pod
    • Deployment
    • StatefulSet
    • DaemonSet
    • ReplicaSet
    • Job
    • CronJob (and v1beta1)


failed to verify

  • An image policy is present in the cluster.
  • The namespace you are installing your resource in is not excluded.
  • Image of the container being installed matches a pattern.
  • The webhook can not verify the signature.


matching pattern: <Pattern> against image <ContainerImage>
matching registry patterns: [{<Image NamePattern, Keys, SecretRef>}]

  • Provide the pattern that matches the container image.
  • Provide the corresponding Image configuration from the ClusterImagePolicy that matches the container image.


service account not found

  • The fallback service account, “image-policy-registry-credentials”, was not found in the namespace of which the webhook is installed.
  • The fallback service account is deprecated and was originally purposed to storing imagePullSecrets for container images and their co-located cosign signatures.


unmatched image policy: <ContainerImage> Container image does not match any policy image patterns.

check-circle-line exclamation-circle-line close-line
Scroll to top icon