If you still haven't key pairs to sign the images, please read Key Generation article
Install helm chart from official repository:
-
Add the Sigstore Helm repository:
helm repo add sigstore https://sigstore.github.io/helm-charts
-
Update your local Helm chart repository cache:
helm repo update
-
Install the
policy-controllerchart from the Sigstore repository:helm install policy-controller sigstore/policy-controller
Using a
values.yamlfile:helm install policy-controller sigstore/policy-controller -f values.yaml
For more documentation, refer to: artifacthub.io/packages/helm/sigstore/policy-controller
Create policy with public certificate:
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: custom-key-attestation-sbom-spdxjson
spec:
images:
- glob: "**"
authorities:
- name: custom-key
key:
data: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg
4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==
-----END PUBLIC KEY-----For more documentation and sample policies, refer to: docs.sigstore.dev/policy-controller/sample-policies
The policy-controller admission controller will by default only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: "true" to the namespace resource.
kubectl label namespace my-secure-namespace policy.sigstore.dev/include=trueFor more documentation, refer to: docs.sigstore.dev/policy-controller/overview