Kyverno Enforcement¶
Overview¶
The homelab cluster uses Kyverno to enforce supply chain security policies at admission time. When a Pod is submitted to the Kubernetes API, Kyverno intercepts the request and verifies that any ghcr.io/webgrip/* images are:
- Signed by the
webgrip/infrastructurerelease workflow via cosign - Accompanied by an attested CycloneDX SBOM
If verification fails in Enforce mode, the Pod is rejected before any containers are started.
The policy¶
The policy is defined in ops/kyverno/cluster-policies/verify-webgrip-images.yaml in this repository. Apply it to the cluster:
1 2 3 4 5 6 | |
Rollout strategy¶
The policy ships in Audit mode. Switch to Enforce only after verifying all running webgrip images are signed.
Step 1: Apply in Audit mode and monitor¶
1 2 3 4 5 6 7 8 9 10 | |
Step 2: Sign existing images¶
For any image that was published before this signing pipeline, create a new GitHub Release to trigger the signing workflow. Alternatively, re-sign an existing image manually:
1 2 3 4 5 | |
Step 3: Switch to Enforce¶
Once PolicyReport shows no violations:
1 2 3 4 5 6 | |
Understanding the policy rules¶
mutateDigest: true¶
When Kyverno admits a Pod, it rewrites any image tag to include the resolved digest:
1 2 | |
This means the container runtime always pulls the exact image that was signed — tag reassignment after signing has no effect on running workloads.
required: true¶
Pods containing ghcr.io/webgrip/* images without a valid signature are blocked (in Enforce mode) or generate a PolicyReport violation (in Audit mode). Images from other registries are not affected.
Namespace exclusions¶
The policy excludes system namespaces by default:
1 2 3 4 5 6 7 8 9 10 11 | |
Expand or reduce this list to match your cluster's structure.
Viewing Kyverno reports¶
1 2 3 4 5 6 7 8 9 | |
In the homelab cluster, policy-reporter aggregates these reports and exposes them in Grafana dashboards.
Testing the policy¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | |
Kyverno + GUAC integration¶
For advanced supply chain governance, GUAC (running in the security namespace) can be used as a policy information point: query GUAC's GraphQL API to determine whether a given image has known vulnerabilities before admitting it. This requires a custom Kyverno generate or validate rule with an external data source call to the GUAC API.