-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CASM-3422: Security: Container Image signature verification #5362
base: release/1.6
Are you sure you want to change the base?
Conversation
Kyverno is upgraded from 1.9.5 version to 1.10.7 version. Support container image signing and verification. Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
More information added towards container image signing and verification. Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
…ure verification feature Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
Signed-off-by: pradeepkumargl <80017325+pradeepkumargl@users.noreply.github.com>
|
||
1. Kyverno is upgraded from 1.9.5 version to 1.10.7 version and is now available for customers as part of the HPE CSM 1.6 release. | ||
|
||
This is a major upgrade with many new features and bug fixes. For complete list please refer to the link [CHANGELOG](https://github.com/kyverno/kyverno/blob/main/CHANGELOG.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a major upgrade with many new features and bug fixes. For complete list please refer to the link [CHANGELOG](https://github.com/kyverno/kyverno/blob/main/CHANGELOG.md) | |
This is a major upgrade with many new features and bug fixes. For a complete list, refer to the [Kyverno CHANGELOG](https://github.com/kyverno/kyverno/blob/main/CHANGELOG.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*Kyverno
### Container image signing and verification using Kyverno policy | ||
|
||
Container images are signed and verified using a Kyverno policy for software supply chain security. For more information, refer to the link | ||
[Verify image signatures](https://kyverno.io/docs/writing-policies/verify-images) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Verify image signatures](https://kyverno.io/docs/writing-policies/verify-images) | |
[Verify image signatures](https://kyverno.io/docs/writing-policies/verify-images). |
webhookTimeoutSeconds: 30 | ||
``` | ||
|
||
The unsigned container images added as exceptions won't be reported as policy violations in the policy report. To understand more about adding exceptions, refer to this link |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The unsigned container images added as exceptions won't be reported as policy violations in the policy report. To understand more about adding exceptions, refer to this link | |
The unsigned container images added as exceptions will not be reported as policy violations in the policy report. To understand more about adding exceptions, refer to this link |
``` | ||
|
||
The unsigned container images added as exceptions won't be reported as policy violations in the policy report. To understand more about adding exceptions, refer to this link | ||
[Adding Exceptions](https://release-1-9-0.kyverno.io/docs/writing-policies/match-exclude/#match-statements) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Adding Exceptions](https://release-1-9-0.kyverno.io/docs/writing-policies/match-exclude/#match-statements) | |
[Adding Exceptions](https://release-1-9-0.kyverno.io/docs/writing-policies/match-exclude/#match-statements). |
webhookTimeoutSeconds: 30 | ||
``` | ||
|
||
The container images succesfully signed by the Customers using their own private key, won't be reported as policy violations in the policy report. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The container images succesfully signed by the Customers using their own private key, won't be reported as policy violations in the policy report. | |
The container images successfully signed by the Customers using their own private key, will not be reported as policy violations in the policy report. |
Description
This PR consists of Kyverno documentation related changes/features which are submitted to CSM 1.6 release.
Mainly Kyverno version upgrade and Container image signature verification policy features.
This PR is for JIRA tickets
CASM-4673.
CASM-4820