Cosign and Kyverno for ZeroClaw Container Images

For images you build yourself, a practical supply-chain loop is: build in CI, sign the digest, verify at admission. The lab uses Cosign (Sigstore), a private Zot registry at oci.this-is-fine.io, and Kyverno verifyImages so unsigned ZeroClaw pods do not start.

CI holds the private signing key; the cluster policy carries the matching public key.

Signing answers a simple question: did this image come from your build pipeline? Scanning for CVEs is still worth doing, but signature verification stops casual image substitution even when a tag name looks familiar.

Concepts

CI pipeline

git push
  -> build image
  -> push to oci.this-is-fine.io/zeroclaw/...
  -> cosign sign digest (sha256:...)

Sign the digest, not only a moving tag. Tags like :latest can be repointed; a signature on sha256:… stays tied to the bits you tested in CI.

Forge CI builds multi-arch images when needed, pushes with skopeo, then signs. Zot stores the signature artifact next to the image so cosign verify works from a laptop or from Kyverno inside the cluster.

Admission

Pod CREATE
  -> Kyverno checks oci.this-is-fine.io/*
  -> cosign verify (public key in ClusterPolicy)
  -> reject OR pull and start

Two policies in practice: a static key for images you build (ZeroClaw, workspace, and anything else on Zot); keyless verification for upstream Flux controllers. Do not mix the rules.

When verification fails, the Pod never starts. kubectl describe on the ReplicaSet usually points at Kyverno; PolicyReport resources summarize which rule blocked the image. Fixing it means either signing the image you meant to run or adjusting the policy — not disabling admission quietly.

Rotation means a new key pair, updated CI secret, updated policy PEM, and re-signed digests you still deploy. References: Cosign keys, Kyverno verifyImages.