Supply Chain Security Tools - Sign provides an admission WebHook that:
It intercepts all resources that create Pods as part of their lifecycle:
This component uses cosign as its backend for signature verification and is compatible only with cosign signatures. When cosign signs an image, it generates a signature in an OCI-compliant format and pushes it to the same registry where the image is stored. The signature is identified by a tag in the format
<image-digest> is the digest of the image that this signature belongs to. The WebHook needs credentials to access this artifact when hosted in a registry protected by authentication.
By default, once installed, this component does not include any policy resources and does not enforce any policy. The operator must create a
ClusterImagePolicy resource in the cluster before the WebHook can perform any verifications. This
ClusterImagePolicy resource contains all image patterns the operator wants to verify, and their corresponding cosign public keys.
Typically, the WebHook gets credentials from running resources and their service accounts to authenticate against private registries at admission time. There are other mechanisms that the WebHook uses for finding credentials. For more information about providing credentials, see Providing Credentials for the WebHook.