[1.12] skipImageReferences in verify image policies (#1116)

* feat: document skipImageReferences in verify image polices Signed-off-by: Vishal Choudhary <[email protected]> * fix: make it h3 Signed-off-by: Vishal Choudhary <[email protected]> * fix: update policy Signed-off-by: Vishal Choudhary <[email protected]> * Update content/en/docs/Writing policies/verify-images/sigstore/_index.md Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]> Co-authored-by: Chip Zoller <[email protected]>
kyverno · Jan 23, 2024 · 9862458 · 9862458
1 parent ea96728
commit 9862458
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/content/en/docs/Writing policies/verify-images/_index.md b/content/en/docs/Writing policies/verify-images/_index.md
@@ -17,6 +17,7 @@ The logical structure of an verifyImages rule is shown below:
 Each rule contains the following common configuration attributes:
   * `type`: the signature type. Sigstore Cosign and Notary are supported. 
   * `imageReferences`: a list of image reference patterns to match
+  * `skipImageReferences`: a list of image reference patterns that should be skipped.
   * `required`: enforces that all matching images are verified
   * `mutateDigest`: converts tags to digests for matching images
   * `verifyDigest`: enforces that digests are used for matching images

diff --git a/content/en/docs/Writing policies/verify-images/sigstore/_index.md b/content/en/docs/Writing policies/verify-images/sigstore/_index.md
@@ -87,6 +87,42 @@ check-image:
     invalid signature'
 ```
 
+### Skipping Image References
+
+`skipImageReferences` can be used to precisely filter image references that should be verified by a policy. A list of references can be specified in `skipImageReferences` and images that match those references will be excluded from image verification process. The following example will match all images from `ghcr.io` but will skip images from `ghcr.io/trusted`. 
+
+```yaml
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: exclude-refs
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: exclude-refs
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/*"
+        skipImageReferences:
+        - "ghcr.io/trusted/*"
+        attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+                5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+                -----END PUBLIC KEY-----
+```
+
 ### Signing images
 
 To sign images, install [Cosign](https://github.com/sigstore/cosign#installation) and generate a public-private key pair.