Supply Chain Security Tools - Policy Controller is a security tool that helps operators ensure that the container images in their registry have not been tampered with. Policy Controller is a Kubernetes Admission Controller that allows operators to apply policies to verify signatures on container images before being admitted to a cluster.
The Policy Controller:
namespaces to enforce policies againstcosign signatures and keyless signingIt enforces its policies against all resources that create Pods as part of their life cycle:
PodReplicaSetDeploymentJobStatefulSetDaemonSetCronJobNoteThis component is the successor to
Supply Chain Security Tools - Sign, which is deprecated. Support and maintenance forSupply Chain Security Tools - Signcontinues. Monitor Release Notes for updates.
Supply Chain Security Tools - Policy Controller is based on Sigstore’s Policy Controller and is compatible only with cosign signatures. See Cosign and Policy Controller in GitHub. For information about image signing and verification, see Sigstore open source community and the cosign project in GitHub.
The Policy Controller component is a policy enforcement tool only. It does not sign images. Operators can configure image signing for their containers in several ways, including:
Image signatures generated by cosign are stored in the same registry location as the image itself unless configured with the COSIGN_REPOSITORY environment variable. Policy Controller uses registry credentials provided in the admission request, Service Account, or signaturePullSecrets defined in the policy to connect to the registry to verify a signature.
ImportantThis component does not work with insecure registries.
To Install Supply Chain Security Tools - Policy Controller, see Install Supply Chain Security Tools - Policy Controller
