📖 Use kyverno to gate upgrades in Kubernetes #564
Assignees
Labels
documentation
Improvements or additions to documentation
good first issue
Good for newcomers
lane/coco
lane/press
spike
Comments
mudler
added
documentation
|
Looking at #636 with it too |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When upgrading Kairos nodes with Kubernetes, we pull the image with Kubernetes but we don't verify it directly with cosign, as this process is managed not internally - gating unsigned images is delegated to other software that acts as validator, as kyverno for example.
Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. It can be used to verify if deployments, jobs, or pods respect a user-defined policy.
Describe the solution you'd like
A documentation page in the Kairos docs describing how to use Kyverno to gate Kubernetes upgrade with signed-only images. Our CI already signs images with cosign, and Kyverno supports verifying images: https://kyverno.io/docs/writing-policies/verify-images/. We should be able to have a simple example policy to get started users with
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: