[Bug] Kyverno image verification does not work on pre existing resources #10239
Labels
bug
Something isn't working
imageVerify
Image verification support
reports
Issues related to policy reports.
Kyverno Version
1.11.4
Description
Hey,
I’m trying to confgure image-verification process for my environment. Here is my policy:
The policy it’s self seems to be working fine but validation is failing with
policy if-baltic-verify-image-signature/verify-image-signature fail: image is not verified
for unspecified reason. In kyverno logs I see the following:Images are stored in Azure Container Registry. Both kyverno reports and admission controller are congiured to use workload identity and are able to reach ACR with pull permissions.
If I try to verify signature manualy i.e. with
cosign verify --key cosign-dev.pub --private-infrastructure privateazureregistry.azurecr.io/consul-k8s-control-plane:1.4.1
images are verified successfully.
Also if I put policy in enforce mode it works correctly and signed images are allowed and not signed are blocked. However reporting still shows same
verify-image-signature fail: image is not verified
Any thoughts?
Thank you.
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1715688426417939
Troubleshooting
The text was updated successfully, but these errors were encountered: