From b078ba8c975ddaff6ba7d294ea2215a6a09b3743 Mon Sep 17 00:00:00 2001
From: chgl <chgl@users.noreply.github.com>
Date: Tue, 18 Apr 2023 22:55:14 +0200
Subject: [PATCH] docs: updated kyverno sample policy

[skip ci]
---
 policy/check-images-kyverno-policy.yaml | 65 +++++++++++++++++++++++++
 policy/kyverno-image-signing.yaml       | 47 ------------------
 2 files changed, 65 insertions(+), 47 deletions(-)
 create mode 100644 policy/check-images-kyverno-policy.yaml
 delete mode 100644 policy/kyverno-image-signing.yaml

diff --git a/policy/check-images-kyverno-policy.yaml b/policy/check-images-kyverno-policy.yaml
new file mode 100644
index 00000000..53ea8c3d
--- /dev/null
+++ b/policy/check-images-kyverno-policy.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-recruit-images
+  annotations:
+    policies.kyverno.io/title: >-
+      Verify signatures and SLSA Provenance for recruIT container images
+    policies.kyverno.io/category: Software Supply Chain Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.9.2
+    kyverno.io/kyverno-version: 1.9.2
+    kyverno.io/kubernetes-version: "1.26"
+    policies.kyverno.io/description: >-
+      Provenance is used to identify how an artifact was produced
+      and from where it originated. SLSA provenance is an industry-standard
+      method of representing that provenance. This policy verifies that an
+      image has SLSA provenance and was signed by the expected subject and issuer
+      when produced through GitHub Actions. It requires configuration based upon
+      your own values.
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-recruit-images
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      verifyImages:
+        - imageReferences:
+            - "ghcr.io/miracum/recruit/list:*"
+            - "ghcr.io/miracum/recruit/notify:*"
+            - "ghcr.io/miracum/recruit/query:*"
+          attestors:
+            - entries:
+                - keyless:
+                    subject: "https://github.com/miracum/recruit/.github/workflows/build.yaml@refs/tags/v*"
+                    issuer: "https://token.actions.githubusercontent.com"
+                    rekor:
+                      url: https://rekor.sigstore.dev
+                    additionalExtensions:
+                      githubWorkflowTrigger: release
+                      githubWorkflowName: ci
+                      githubWorkflowRepository: miracum/recruit
+          attestations:
+            - predicateType: https://slsa.dev/provenance/v0.2
+              attestors:
+                - count: 1
+                  entries:
+                    - keyless:
+                        subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v*"
+                        issuer: "https://token.actions.githubusercontent.com"
+                        rekor:
+                          url: https://rekor.sigstore.dev
+              conditions:
+                - all:
+                    # This expression uses a regex pattern to ensure the builder.id in the attestation is equal to the official
+                    # SLSA provenance generator workflow and uses a tagged release in semver format. If using a specific SLSA
+                    # provenance generation workflow, you may need to adjust the first input as necessary.
+                    - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$','{{ builder.id}}') }}"
+                      operator: Equals
+                      value: true
diff --git a/policy/kyverno-image-signing.yaml b/policy/kyverno-image-signing.yaml
deleted file mode 100644
index 93ddcd68..00000000
--- a/policy/kyverno-image-signing.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: check-recruit-images
-spec:
-  validationFailureAction: enforce
-  webhookTimeoutSeconds: 30
-  rules:
-    - name: check-recruit-images
-      match:
-        any:
-          - resources:
-              kinds:
-                - Pod
-      verifyImages:
-        - imageReferences:
-            - "ghcr.io/miracum/recruit/list:*"
-            - "ghcr.io/miracum/recruit/notify:*"
-            - "ghcr.io/miracum/recruit/query:*"
-            - "ghcr.io/chgl/recruit-release-test/list:*"
-            - "ghcr.io/chgl/recruit-release-test/notify:*"
-            - "ghcr.io/chgl/recruit-release-test/query:*"
-          attestors:
-            - entries:
-                - keyless:
-                    subject: "https://github.com/chgl/recruit-release-test/.github/workflows/build.yaml@refs/tags/*"
-                    issuer: "https://token.actions.githubusercontent.com"
-                    rekor:
-                      url: https://rekor.sigstore.dev
-                    additionalExtensions:
-                      githubWorkflowTrigger: release
-                      githubWorkflowName: ci
-                      githubWorkflowRepository: chgl/recruit-release-test
-          # attestations:
-          #   - predicateType: https://slsa.dev/provenance/v0.2
-          #     conditions:
-          #       - all:
-          #           - key: "{{ repo.uri }}"
-          #             operator: Equals
-          #             value: "https://git-repo.com/org/app"
-          #           - key: "{{ repo.branch }}"
-          #             operator: Equals
-          #             value: "main"
-          #           - key: "{{ reviewers }}"
-          #             operator: In
-          #             value: ["ana@example.com", "bob@example.com"]