# Example Policies

URL: https://edu.chainguard.dev/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples.md
Last Modified: August 19, 2024
Tags: Policy Controller, Procedural, Policy, policy-controller, Reference, SBOM

Policy recipes

The Sigstore Policy Controller allows users to create their own security policies that they can be enforced on Kubernetes clusters. Here are a few example policies to help you get started.
You may also review the Sigstore Policy Controller documentation. In particular, we encourage you to review the Policy Controller documentation relating to the Admission of images to learn how to admit images through the cluster image policy.
Policy enforcing signed containers apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: signed-keyless spec: images: # All images - glob: "**" authorities: - keyless: url: https://fulcio.sigstore.dev ctlog: url: https://rekor.sigstore.devExample using Chainguard Containers from Chainguard’s registry:
... images: - glob: cgr.dev/chainguard/** ...An example using Docker Hub images:
... images: - glob: "index.docker.io/*" - glob: "index.docker.io/*/*" ...An example using Google Cloud Registry:
... images: - glob: gcr.io/your-image-here/* ... Policy enforcing signer identity through an OIDC provider and subject apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: enforce-signer-oidc spec: images: - glob: "**" authorities: - keyless: identities: # <<<-- REPLACE the following with your OIDC provider & subject --> # - issuer: https://token.actions.githubusercontent.com subject: https://github.com/chainguard-dev/gke-demo/.github/workflows/release.yaml@refs/heads/mainAn alternate issuer and subject:
... - issuer: https://accounts.google.com subject: your-gmail@gmail.com Policy enforcing that images have a signed SPDX SBOM attestation from a custom key This policy asserts that all images must have a signed SPDX SBOM attestation from a custom key.
apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: custom-key-attestation-sbom-spdxjson spec: images: - glob: gcr.io/your-image-here/* authorities: - name: custom-key key: data: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- attestations: - name: must-have-spdxjson predicateType: spdxjson policy: type: cue data: | predicateType: "https://spdx.dev/Document"Set the POLICY and IMAGES environment variables appropriately, pointing to the sample policy and the image you would like to test.
POLICY="policies/custom-key-attestation-sbom-spdxjson.yaml"Generate an SPDX SBOM, then attach the SBOM to your image:
cosign attest --type spdxjsonNext, sign it with a private key (for example, one located in a keys directory as in keys/cosign.key).
export COSIGN_PASSWORD="" cosign attest --yes --type spdxjson \ --predicate sboms/example.spdx.json \ --key keys/cosign.key \ "${IMAGE}" Policy enforcing that releases are signed by GitHub Actions apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: image-is-signed-by-github-actions spec: images: # This is the release v0.3.0 - glob: "gcr.io/projectsigstore/policy-webhook@sha256:d1e7af59381793687db4673277005276eb73a06cf555503138dd18eaa1ca47d6" authorities: - keyless: # Signed by Fulcio url: https://fulcio.sigstore.dev identities: # Matches the Github Actions OIDC issuer - issuer: https://token.actions.githubusercontent.com # Matches a specific GitHub workflow on main branch. Here we use the # Sigstore policy controller example testing workflow as an example. subject: "https://github.com/sigstore/policy-controller/.github/workflows/release.yaml@refs/tags/v0.3.0" Policy allowing trusted GKE images apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: gke-trusted spec: images: - glob: gke.gcr.io/** - glob: gcr.io/gke-release/* authorities: - static: action: pass Enforce that cert-manager is signed apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: certmanager-signed spec: images: - glob: quay.io/jetstack/cert-manager-* authorities: - key: data: | -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsZZKaaIRjOpzbiWYIDKO yry9XGBqAfve1iOGmt5VO1jpjNoEseT6zewozHfWTM7osxayy2WjN8G+QV39MlT3 Vxo91/31g+Zcq8KcvxG+iB8GRaD9pNgLmghorv+eYDiPYMO/+fhsLImyG5WEoPct MeCBD7umZ/A2t96U9DQxVDqQbTHlsNludno1p1wsgRnfUM3QHexNljDvJg5FcDMo dCpVLpRNvbw0lbJVfybJ4siJ5o/MmXzy0QCJpw+yMIqvqMc8qgKJ1yooJtuTVF4t 4/luP+EG/oVIiSWCFeRMqYdbJ3R+CJi+4LN7vFNYQM1Q/NwOB52RteaR7wnqmcBz qSYK32MM8xdPCQ5tioWwnPTRbPZuzsZsRmJsKBO9JUrBYdDntZX1xY5g4QNSufxi QgJgJSU7E4VGMvagEzB1JzvOr6A/qNFCO1Z6JsA3jw3cJLV1rSHfxqfSXBACTLDf 6bOPWRILRKydTJA6uLKNKmo1/nFm3jvd5tHKOjy4VAQLJ/Vx9wBsAAiLa+06veun Oz3AJ9sNh3wLp21RL11u9TuOKRBipE/TYsBYp8jpIyWPXDSV+JcD/TZqoT8y0Z6S 0damfUmspuK9DTQFL2crpeaqJSG9RA+OuPZLxGD1IMURTsPJB7kXhPtmceeirBnw sVcRHHDitVt8oO/x4Wus1c0CAwEAAQ== -----END PUBLIC KEY----- hashAlgorithm: sha512 Enforce that Chainguard agent is signed apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: chainguard-agent-is-signed spec: images: - glob: us.gcr.io/prod-enforce-fabc/** authorities: - ctlog: url: https://rekor.sigstore.dev keyless: identities: - issuer: https://token.actions.githubusercontent.com subject: https://github.com/chainguard-dev/mono/.github/workflows/.release-drop.yaml@refs/heads/main - issuer: https://token.actions.githubusercontent.com subject: https://github.com/chainguard-dev/mono/.github/workflows/.build-drop.yaml@refs/heads/main url: https://fulcio.sigstore.dev Enforce that Google’s distroless images are signed apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: google-distroless-signed spec: images: - glob: gcr.io/distroless/static* authorities: - ctlog: url: https://rekor.sigstore.dev keyless: identities: - issuer: https://accounts.google.com subject: keyless@distroless.iam.gserviceaccount.com url: https://fulcio.sigstore.dev Enforce that Istio images are signed apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: istio-signed spec: images: - glob: index.docker.io/istio/* authorities: - key: data: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEej5bv2n2vOecKineYGWwq1WaQa7C 7HTEVN+BkNI4D1+66ufzn1eGTrbaC9dceJqCAkhp37vMxhWOrGufpBUokg== -----END PUBLIC KEY-----