[Bug] verifyImages Policy generates inaccurate report for Pods containing multiple images.
Kyverno Version
1.12
Kubernetes Version
1.29
Kubernetes Platform
EKS
Description
I am encountering an issue with a Pod that has both an init container and an application container. The issue is that the policy report only contains the audit result for one of the images, and it seems somewhat random which one is included. Because of this, it often happens that the report contains a passing state for the rule, even though there is an image present with an incorrect signature.
Here is the dummy policy I used for testing:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image-signature
annotations:
policies.kyverno.io/title: Check Image Signature
policies.kyverno.io/severity: medium
policies.kyverno.io/category: ImageSignature
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.7.0
spec:
ValidationFailureAction: Audit
rules:
- name: verify-signature
match:
any:
- resources:
kinds:
- Pod
namespaces:
- "monitoring-private"
- "monitoring-public"
verifyImages:
- imageReferences:
- "*"
mutateDigest: false
verifyDigest: false
attestors:
- entries:
- certificates:
rekor:
ignoreTlog: true
ctlog:
ignoreSCT: true
certChain: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----As I understand it, the intention is to create only one result per resource, but I think there is a problem with generating the report based on the overall image verification outcome.
Steps to reproduce
Create a Pod with 2 containers in it, 1 with valid signature 1 with not
Expected behavior
The generated policyReport result will alternate between passing and failing state
Screenshots
No response
Kyverno logs
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1739270198581889
Troubleshooting
-
I have read and followed the documentation AND the troubleshooting guide. -
I have searched other issues in this repository and mine is not recorded.