Skip to content

awab-hassan/05-cosignPolicy-DEVOPS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
architecture.png
architecture.png
 
 
cosign.key
cosign.key
 
 
keyverno-policy.yaml
keyverno-policy.yaml
 
 
script.sh
script.sh
 
 
test-deployment.yaml
test-deployment.yaml
 
 

Repository files navigation

Kubernetes Image Signing Policy with Cosign and Kyverno

Kubernetes Cosign Kyverno DevSecOps

Overview

Implemented a cluster-wide image signing policy using Cosign and Kyverno. Any image not signed with the client's private key is automatically rejected by the cluster — preventing unsigned, unverified, or tampered images from ever running in production.

Architecture

Architecture Diagram

The policy enforcement flow:

  • Cosign generates a key pair — private key signs images, public key verifies them
  • Kyverno policy deployed cluster-wide with the public key embedded
  • Every kubectl apply triggers Kyverno admission control — unsigned images are rejected
  • A shell script automates the image signing process for the client's CI workflow

Tech Stack

Layer Technology
Container orchestration Kubernetes
Image signing Cosign (Sigstore)
Policy engine Kyverno
Policy type Admission Controller
Scripting Bash (image signing automation)

What Was Built

1. Cosign installation and key generation

  • Installed Cosign on the cluster environment
  • Generated a key pair — private key for signing, public key embedded in the Kyverno policy

2. Kyverno policy deployment

  • Deployed Kyverno as an admission controller in the cluster
  • Wrote a ClusterPolicy that verifies image signatures on every pod admission request
  • Public key embedded directly in the policy for verification

3. Image signing shell script

  • Wrote a shell script to sign Docker images using the private key before pushing to the registry
  • Automates the sign → push workflow for the client's team

4. Policy demo

  • Demonstrated the full flow to the client:
    • Unsigned image → rejected by Kyverno admission controller
    • Signed image → allowed into the cluster

How It Works

Developer pushes image
        ↓
  ./sign-image.sh (Cosign signs with private key)
        ↓
  Image pushed to registry with signature
        ↓
  kubectl apply deployment
        ↓
  Kyverno admission controller intercepts
        ↓
  Verifies signature against public key in policy
        ↓
  ✅ Signed → Allowed   |   ❌ Unsigned → Rejected

Project Structure

05-cosignPolicy-DEVOPS/
├── kyverno-policy.yaml   (ClusterPolicy with public key)
├── script.sh         (Image signing automation script)
├── cosign.key         (Demo cosign key)
└── README.md

Key Learnings

  • Cosign + Kyverno is the production standard for Kubernetes image supply chain security
  • Kyverno admission controllers intercept every pod creation request — policy violations are blocked before the container ever starts
  • Embedding the public key in a ClusterPolicy allows cluster-wide enforcement without per-namespace configuration

About

Cluster-wide image signing policy using Cosign and Kyverno — only images signed with the client's private key are allowed into the cluster. Includes ClusterPolicy and signing shell script.

Topics

kubernetes aws devops deployment aws-ecr bash-script devsecops eks cosign kyverno-policies

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors

Languages