From 46dfc749a4b371ecb1ca756e746c6c8780ef4ab1 Mon Sep 17 00:00:00 2001
From: hackeramitkumar <amit9116260192@gmail.com>
Date: Sun, 25 Jun 2023 23:23:34 +0530
Subject: [PATCH] added pod and policy.yml

---
 clusterPolicy.yml | 54 +++++++++++++++++++++++++++++++++++++++++++++++
 pod.yml           | 23 ++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 clusterPolicy.yml
 create mode 100644 pod.yml

diff --git a/clusterPolicy.yml b/clusterPolicy.yml
new file mode 100644
index 0000000..983a10a
--- /dev/null
+++ b/clusterPolicy.yml
@@ -0,0 +1,54 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    meta.helm.sh/release-name: kyverno-rules
+    meta.helm.sh/release-namespace: kyverno
+    pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: Using the Cosign project, OCI images may be signed
+      to ensure supply chain security is maintained. Those signatures can be verified
+      before pulling into a cluster. This policy checks the signature of an image
+      repo called ghcr.io/kyverno/test-verify-image to ensure it has been signed by
+      verifying its signature against the provided public key. This policy serves
+      as an illustration for how to configure a similar rule and will require replacing
+      with your image(s) and keys.
+    policies.kyverno.io/minversion: 1.4.2
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Deployment, StatfulSet
+    policies.kyverno.io/title: Verify Image
+  name: verify-image
+spec:
+  background: false
+  failurePolicy: Fail
+  rules:
+  - exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kube-node-lease
+          - kube-public
+      resources: {}
+    generate:
+      clone: {}
+    match:
+      any:
+      - resources:
+          kinds:
+          - Deployment
+          - StatefulSet
+      resources: {}
+    mutate: {}
+    name: verify-image
+    validate: {}
+    verifyImages:
+    - image: registry.domain.com*
+      key: |-
+        -----BEGIN PUBLIC KEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0+VemMIOj5qCy9QeN9sry+a8lObl
+        FPi9x3e5bZHSRoqCRw2wVqNfNSzJUqkgRe+6XB21N1LyvXkWcarEjppvvA==
+        -----END PUBLIC KEY-----
+      mutateDigest: false
+      required: true
+      verifyDigest: false
+  validationFailureAction: enforce
diff --git a/pod.yml b/pod.yml
new file mode 100644
index 0000000..fa7fab7
--- /dev/null
+++ b/pod.yml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      imagePullSecrets:
+      - name: regcred
+      containers:
+      - name: nginx
+        image: registry.domain.com/images/nginx:1.21.4-alpine
+        ports:
+        - containerPort: 80
\ No newline at end of file