github/flagger
1
0
Fork 0
mirror of https://github.com/fluxcd/flagger.git synced 2026-02-14 18:10:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a4babd6fc42cc131d5083e1dcd2f092def22e323
flagger/.cosign
History
Stefan Prodan be8ed8a696 Fix cosign workflow 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2021-08-25 12:16:06 +03:00
..
cosign.key
Fix cosign workflow
2021-08-25 12:16:06 +03:00
cosign.pub
Fix cosign workflow
2021-08-25 12:16:06 +03:00
README.md
Fix cosign workflow
2021-08-25 12:16:06 +03:00

README.md

Flagger signed releases

Flagger releases published to GitHub Container Registry as multi-arch container images are signed using cosign.

Verify Flagger images

Install the cosign CLI:

brew install sigstore/tap/cosign

Verify a Flagger release with cosign CLI:

cosign verify -key https://raw.githubusercontent.com/fluxcd/flagger/main/cosign/cosign.pub \
ghcr.io/fluxcd/flagger:1.13.0

Verify Flagger images before they get pulled on your Kubernetes clusters with Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-flagger-image
  annotations:
    policies.kyverno.io/title: Verify Flagger Image
    policies.kyverno.io/category: Cosign
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.4.2
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: verify-image
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
      - image: "ghcr.io/fluxcd/flagger:*"
        key: |-
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
          iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
          -----END PUBLIC KEY-----
Reference in New Issue View Git Blame Copy Permalink