This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-signed-image-admission.md

1.2 KiB

Pattern: Signed Image Admission

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, artifact-store, product repos Genesis family: Kubernetes and platform

Problem

Clusters cannot trust that an image came from reviewed source or an approved build unless admission verifies signature and provenance.

Context

Use this pattern for Kubernetes admission, container registries, artifact-store, release promotion, and supply-chain evidence.

Forces

  • Developers need fast image builds.
  • Production needs evidence of review and provenance.
  • Not every image source is equally trusted.
  • Emergency rollback must still use trusted artifacts.

Solution

Require production workloads to use signed images from approved registries. Admission verifies signature, digest, provenance, and policy before the workload runs.

Verification

  • Unsigned images are rejected in production namespaces.
  • Admission pins by digest or verifies immutable references.
  • Signatures and provenance link to reviewed source and build identity.
  • Emergency images follow the same trust policy.
  • Supply-Chain Provenance.
  • Signed Container Images.
  • SLSA Build Provenance.
  • Policy-as-Code Admission Control.