Overview of Supply Chain Security Tools for VMware Tanzu - Policy Controller

Supply Chain Security Tools (SCST) - Policy Controller is a security tool that helps you ensure that the container images in their registry have not been tampered with.

Important

SCST - Policy Controller is deprecated. VMware plans to remove it in a future Tanzu Application Platform version.

Policy Controller is a Kubernetes Admission Controller that allows you to apply policies to verify signatures on container images before being admitted to a cluster.

The Policy Controller:

  • Verifies signatures on container images used by Kubernetes resources
  • Enforces policies to allow or deny images being admitted in a cluster
  • Allows operators to define multiple policies in the cluster
  • Allows operators to select which namespaces to enforce policies against
  • Supports cosign signatures and keyless signing
  • Supports storing public keys in a KMS

It enforces its policies against all resources that create Pods as part of their life cycle:

  • Pod
  • ReplicaSet
  • Deployment
  • Job
  • StatefulSet
  • DaemonSet
  • CronJob
Note

This component is the successor to SCST - Sign, which is deprecated. Support and maintenance for SCST - Sign continues.

SCST - Policy Controller is based on Sigstore’s Policy Controller and is compatible only with cosign signatures. For more information, see Cosign and Policy Controller in GitHub. For information about image signing and verification, see the Sigstore open-source community and the cosign project in GitHub.

The Policy Controller component is a policy enforcement tool only. It does not sign images. Operators can configure image-signing for their containers in several ways, including:

Image signatures generated by cosign are stored in the same registry location as the image itself unless configured with the COSIGN_REPOSITORY environment variable. Policy Controller uses registry credentials provided in the admission request, Service Account, or signaturePullSecrets defined in the policy to connect to the registry to verify a signature.

Important

This component does not work with non-secure registries.

To install SCST - Policy Controller, see Install SCST - Policy Controller.

check-circle-line exclamation-circle-line close-line
Scroll to top icon