The policy applies when it is necessary to ensure that the image is owned by a trusted publisher and has not been modified. Signing Docker images is a process to ensure their authenticity and consistency. This is accomplished by adding a digital signature to the Docker image that can be verified during deployment.
начало внимание
The policy is available from BRIX On-Premises version 2024.3.0 on.
конец внимание
The configuration file must be filled in for deployment.
Fill in the configuration file
Fill in the values-kyverno.yaml configuration file to install Kyverno.
- Configure the signature verification policy for Docker images. The policy is disabled by default. To enable the policy, set
kyverno.checkImageSign.enabledtotrue. - If you have multiple BRIX On-Premises application instances installed in your Kubernetes cluster, but you only want to apply signature verification for Docker images to a subset of BRIX application instances, fill in the
kyverno.checkImageSign.namespaceparameter. This parameter specifies the namespace of the BRIX application instances. - Specify the namespace for the Kyverno service: in this case, it is
kyverno. To ensure high availability, specify the required number of replicas in thekyverno.replicaCountparameter.
## Configure kyverno
kyverno:
...
## signature verification policy for Docker images
checkImageSign:
enabled: false
## list of registries for which the signature policy for Docker images will be applied
registry:
- hub.elma365.tech
## list of namespaces in which the signature policy for Docker images will be applied
# namespace:
# - elma365-dev
# - elma365-prod
## secret for accessing Docker images to apply the signature policy for Docker images
existingImagePullSecrets:
- yandexsecret
namespace: kyverno
## number of replicas to ensure high availability
replicaCount: 1
## crds installation (not required, added to the crds directory)
installCRDs: false
...
To connect to a private registry:
## Configure kyverno where
|