Minimal but enforceable security policies for the intent pipeline, following TDD approach.
- Enforces container image signatures
- Rejects unsigned images in production namespaces
- Supports keyless and key-based verification
- Image signature verification with Kyverno
- Namespace-based policy enforcement
- Integration with admission controllers
- TLS certificate lifecycle management
- Self-signed ClusterIssuer for testing
- Foundation for mTLS and webhook certificates
Each component follows Test-Driven Development:
- RED Phase: Tests written first, fail due to missing policies
- GREEN Phase: Minimal policies implemented to pass tests
- REFACTOR Phase: Optimize and enhance policies as needed
# Run all tests (will fail initially)
for dir in sigstore kyverno cert-manager; do
echo "Testing $dir..."
cd $dir && make test && cd ..
done
# Install components
cd cert-manager && make install && make apply && cd ..
cd sigstore && make install-policy-controller && make apply && cd ..
cd kyverno && make apply && cd ..
# Run tests again (should pass)
for dir in sigstore kyverno cert-manager; do
echo "Testing $dir..."
cd $dir && make test && cd ..
done- Default Deny: Unsigned images rejected by default
- Namespace Isolation: Dev environments exempt from strict policies
- Fail Closed: Webhook failures block deployments
- Transparency: All signatures verified against Rekor logs
- Certificate Automation: No manual certificate management
These guardrails ensure:
- Only verified KRM packages are deployed
- Intent transformations use signed container images
- O2 IMS communications use proper TLS certificates
- GitOps deployments verify image signatures
- Replace placeholder signing keys with production keys
- Configure OIDC provider for keyless signing
- Set up proper CA issuer instead of self-signed
- Enable policy violation alerts
- Configure backup and recovery for certificates
- Implement certificate rotation automation
- Set up monitoring dashboards for policy violations