CoursesSoftware supply chain in depthAdmission & pipeline hardening

Verify at admission

policy-controller/Kyverno; identity + attestations by digest.

Expert35 min · lesson 13 of 15

All the evidence in the world — signatures, provenance, SBOMs — does nothing until something refuses to run an artifact that lacks it. Admission verification is the enforcing gate: the point where Kubernetes checks an image’s evidence against policy and rejects anything that fails.

Verify signatures and attestations at admission

An admission controller intercepts every pod before it runs and can require that each image is signed by a trusted identity and carries the attestations your policy demands. Sigstore’s policy-controller, Kyverno’s verifyImages rules, and tools like Connaisseur or Ratify perform this check: verify the cosign signature, confirm the signing identity matches your pipeline, and optionally require provenance and an SBOM meeting policy. An unsigned image, one signed by the wrong identity, or one missing required provenance never starts — the deploy is blocked at the cluster door.

a Kyverno rule requiring your pipeline’s signature
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata: { name: require-signed-images }
spec:
validationFailureAction: Enforce
rules:
- name: verify-release-signature
match: { any: [{ resources: { kinds: [Pod] } }] }
verifyImages:
- imageReferences: ["registry.acme.internal/*"]
attestors:
- entries:
- keyless:
subject: "https://github.com/acme/*/.github/workflows/release.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
# optionally also require a SLSA provenance attestation here

Pin by digest and require the full evidence set

Verification must be tied to an immutable reference: admit images by digest, not by a mutable tag like :latest that can be repointed to a different image after the check. The strongest policies require more than a signature — the right signing identity plus required attestations (SLSA provenance meeting a level, a signed SBOM, a passing scan) — so only artifacts with the complete, verifiable evidence chain run. This is the payoff of everything earlier: producing evidence matters only because this gate enforces it, and the gate is trustworthy only because the evidence is bound to exact bytes by digest.

The admission verification gate
1pod requests image
by digest
2admission controller
policy-controller / Kyverno
3verify signature + attestations
identity, provenance, SBOM, scan
4admit or reject
no evidence → no deploy
Producing evidence is pointless without this gate; the gate is trustworthy because evidence is digest-bound. Require identity + attestations, by digest.
Verifying by tag lets an attacker swap the image after the check
A policy that admits my-app:latest verifies whatever the tag points to at that instant — and a mutable tag can be repointed to a malicious image. Always verify and admit by immutable digest so the evidence you checked applies to exactly the bytes that run.