imjasonh
commented
1 year ago The policy enforcing signed containers from Chainguard Images looks right to me. It governs images from cgr.dev, docker.io, and ghcr.io/chainguard-dev (not -images) -- I believe the last one is because it's used in demos, e.g., ghcr.io/chainguard-dev/chainguard-nginx-demo.
The policy allowing keyless signed distroless images at the bottom may just be there for folks that happened to use the images while they were at distroless.dev.
The sample policies on this page are great. I believe we've updated the URL where chainguard images are stored from ghcr.io and distroless.dev to cgr.dev, so we should update the policies accordingly.
https://edu.chainguard.dev/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-policy-examples/
@imjasonh to confirm if i'm right.