Closed amdawson closed 1 year ago
The policy enforcing signed containers from Chainguard Images looks right to me. It governs images from cgr.dev
, docker.io
, and ghcr.io/chainguard-dev
(not -images
) -- I believe the last one is because it's used in demos, e.g., ghcr.io/chainguard-dev/chainguard-nginx-demo
.
The policy allowing keyless signed distroless images at the bottom may just be there for folks that happened to use the images while they were at distroless.dev
.
The sample policies on this page are great. I believe we've updated the URL where chainguard images are stored from ghcr.io and distroless.dev to cgr.dev, so we should update the policies accordingly.
https://edu.chainguard.dev/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-policy-examples/
@imjasonh to confirm if i'm right.