Registry trust & allowed sources
Pin who you pull from, not just what.
Verifying signatures answers "is this the artifact we built?" — but you also need to control where images come from at all. An allowed-registries policy restricts workloads to pulling only from registries you trust (your internal registry, specific vetted mirrors), so a compromised manifest cannot pull an attacker’s image from a random public registry. It is a blunt but essential control: even before signature checks, the set of places an image may originate should be a short, deliberate list.
Why "signed" is not enough without "from where"
Signature verification and registry restriction cover different holes, and you need both. Verifying the signer identity stops an unsigned or wrong-identity image; restricting the registry stops an image pulled from somewhere you do not control, and closes the gap where an attacker signs their own malicious image with their own valid identity from their own registry. The complete rule is "signed by our CI identity AND pulled from our registry AND carrying the required provenance" — three assertions, because an attacker only needs the one you left out.
Control the registry itself
The trusted registry is infrastructure to secure, not just point at. Run a private registry (Harbor, Artifactory) as the single source for production images, use it as a pull-through cache so an upstream outage or a poisoned public image does not reach you unfiltered, and enforce that images are scanned and signed before they can be tagged for production. Some registries can themselves verify signatures and block vulnerable images on push. The registry is both the choke point you restrict pulls to and a place to enforce policy in its own right.
# defense in depth at the registry choke point:# - admission policy: pull only from registry.acme.internal/* (allowed sources)# - the registry: scan-on-push, block on CRITICAL, require a signature to promote to "prod"# - pull-through cache for public deps, so nothing pulls straight from the internet