[Bug] Kyverno verifyimage policy does'nt working correctly

[Bunny15738]

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

EKS

Description

when I first apply an imageVerification policy with validationfailureaction to Audit, the first pod that is signed that already deployed gets a warning saying it isn't signed in policyreport, but when I delete it and redeploy it a second time it is working.

apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
  creationTimestamp: '2024-08-13T10:11:50Z'
  generation: 2
  labels:
    app.kubernetes.io/managed-by: kyverno
  name: b851b881-036e-4a55-916c-7bb57ddaea66
  namespace: keda
  ownerReferences:
    - apiVersion: v1
      kind: Pod
      name: keda-admission-webhooks-55b4d95c74-qnjjz
      uid: b851b881-036e-4a55-916c-7bb57ddaea66
  uid: 71258180-d8b7-4a78-af2a-b60087477ee4
results:
  - category: Best Practices
    message: >-
      unverified image
      XXXX.XXX.XXX/keda/keda-admission-webhooks:2.14.0
    policy: verify-image-signature
    result: fail
    rule: verify-image-signature
    scored: true
    severity: medium
    source: kyverno
    timestamp:
      nanos: 0
      seconds: 1723543995
scope:
  apiVersion: v1
  kind: Pod
  name: keda-admission-webhooks-55b4d95c74-qnjjz
  namespace: keda
  uid: b851b881-036e-4a55-916c-7bb57ddaea66
summary:
  error: 0
  fail: 1
  pass: 1
  skip: 0
  warn: 0

Here is the kyverno policy.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/title: Verify Image Signature
  labels:
    argocd.argoproj.io/instance: kyverno-policies
  name: verify-image-signature
spec:
  background: true
  failurePolicy: Fail
  rules:
    - exclude:
        any:
          - resources:
              namespaces:
                - kube-node-lease
                - kube-public
                - kube-system
                - kyverno
      match:
        any:
          - resources:
              kinds:
                - Pod
      name: verify-image-signature
      verifyImages:
        - attestors:
            - entries:
                - annotations:
                    signed_by: test
                  keys:
                    ctlog:
                      ignoreSCT: true
                    publicKeys: >-
                      -----BEGIN PUBLIC KEY-----

                      XXXXXXXXXXXXXXXXXXXXXXXXXXX

                      -----END PUBLIC KEY-----
                    rekor:
                      ignoreTlog: false
                      url: 'https://XXX.rekor.XXXXX.XXXX'
          imageReferences:
            - XXXX.XXX.XXX
          mutateDigest: false
          verifyDigest: false
  validationFailureAction: Audit
  webhookTimeoutSeconds: 30

Steps to reproduce

1.I created a policy for image verification against my aws public key
2.I deploy a pod with a signed image that should pass (confirmed via cosign)
3.I check the report and it says it failed
4.I delete the pod
5.I recreate the pod, and this time it passes in the report

Expected behavior

It should work with audit mode if image is signed then it must show pass.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[chipzoller]

Please properly format your manifests so we can review them.

[Bunny15738]

I have formatted the manifest, Can you check now?

[Bunny15738]

Hi @chipzoller, Any update on above?

[chipzoller]

What do the logs for the admission controller say when you compare a pass to a fail? What is the exact version of Kyverno used here?