📖 Add documentation on how to gate upgrades with kyverno

[mudler]

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #564

[netlify]

✅ Deploy Preview for kairos-io ready!

Name	Link
🔨 Latest commit	70f7fbd
🔍 Latest deploy log	https://app.netlify.com/sites/kairos-io/deploys/6411882f70b4e30008966c35
😎 Deploy Preview	https://deploy-preview-1135--kairos-io.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[mudler]

cc @jimmykarily , might be helpful as a baseline for the #1114 story

[Itxaka]

We ened to rename this asap :D

[mudler]

yep indeed... we have #711 in the sprint :) , I would have waited for #711, but this list in the docs was not matching the truth since a long time already, so thought to updated it

[Itxaka]

this is kind of icky.

Hear me out, this is really good until cosign or the CI breaks and we need to sign the already published artifacts in a different way, maybe by a different workflows like we used to do in that other project. Then this doesnt match anymore so you either drop a release completely as it wont be signed, resign it and break this gating for users or run a new release and left the unsigned release there.

does this subject allows for regex? or for value.in so we can provide a list?

[mudler]

that's a valid and good point the subject is a regex already indeed: https://github.com/kairos-io/provider-kairos/.github/workflows/release.yaml@refs/tags/* I think it's fine as a baseline example and nothing more, for instance, a policy can be applied also per-releases prior applying a plan, and so on so forth, it's up to you to which kinda of policy you want to set - this one is very greedy and assumes all provider-kairos repository are from that CI pipeline.