[docs] Verifying provenance with OPA

[ianlewis]

Docs on verifying provenance generated by the generic workflow with Open Policy Agent

[ianlewis]

Getting OPA working will likely require a good amount of work. I don't see any SLSA verification tools yet and we would want one that works with Kubernetes and ideally isn't a lot more maintenance work than the existing Kubernetes Admission Control integraitons like gatekeeper.

Some problems so solve:

1. implementation approach: add functionality to gatekeeper? or create a separate admission controller to verify SLSA provenance.
2. policy format: OPA works well for simple verification on JSON data, but we will want to allow verification on other supplementary data like the signing key's subject and other metadata.
3. policy packages: gatekeeper has several packages for making writing Kubernetes policies easier. Do we need anything like that?
4. flexibility: We would want to make it flexible enough that it can work with sigstore etc. outside of just this project. i.e. Building on something other than Github. How would this be different from the existing sigstore policy-controller?

[ianlewis]

Probably examples that use sigstore policy-controller with cue is a more practical goal for GA of the generic workflows.

[ianlewis]

Moving off the milestone since OPA doesn't have support for SLSA yet.