This is a demo to verify an image from a JSON payload using Kyverno 1.14's image verification policy type.
Create a kind cluster:
kind create cluster --name=verify-images --image kindest/node:v1.32.0Install nirmata-image-compliance in the namespace nirmata:
kubectl create ns nirmata
kubectl apply -f "https://raw.githubusercontent.com/nirmata/demo-image-compliance/refs/heads/main/config/install.yaml"Run port forwarding to send requests to the service:
kubectl -n nirmata port-forward svc/nirmata-image-compliance-svc 9443:443In a new shell, post a request with signed image:
curl -k https://localhost:9443/verifyimages -X POST -d '{"foo":{"bar": "ghcr.io/kyverno/test-verify-image:signed"}}'Post a request with unsigned image
curl -k https://localhost:9443/verifyimages -X POST -d '{"foo":{"bar": "ghcr.io/kyverno/test-verify-image:unsigned"}}'Update POLICY_PATH environment variable in deployment to block critical & high vulnerabilities:
kubectl -n nirmata edit deploy nirmata-image-compliance- name: POLICY_PATH
value: oci://ghcr.io/nirmata/demo-image-compliance-policies:block-high-vulnerabilites
Post a request with signed image
curl -k https://localhost:9443/verifyimages -X POST -d '{"foo":{"bar": "ghcr.io/kyverno/test-verify-image:signed"}}'This should fail, as it does not comply with the policy requirements.