apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-image-signature
spec:
  validationFailureAction: Enforce
  rules:
    - name: verify-image-signature
      match:
        resources:
          kinds:
            - Pod
      include:
        resources:
          namespaces:
            - cosign-test
      verifyImages:
        - image: "git.ntk.novotelecom.ru/adm/docker-trust*"
          key: "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1kmEd1dzkY0MLMhNlkPz8LbX70tdw5acXoKYvOGzcTUK4jppKBCLst121UMC0L5DcgqNE9uly0S78aE8pbIxpBSgVdM8NPRa90vGTi50rauzOGiVRSxOzmkh3BVErqga84U9xb8QmS28rwjdSCbZSx27quzkDrvHwrfid5DroCSkNFQo7Bb84jlgTbrV5KwXkd7G5bMB3qaAzIpBQH+LbKn8/76rlU9/NfUpzftFdOwVVOWQIC7PYU8z2cKI9C+Su+MkrozuGSLrR/Z/urCK9xibrUzRMX7N2v5ORXGhili4pFJG7asxQjPzl2a23iYGkt8c5egxlXWFk4zrVnmawIDAQAB-----END PUBLIC KEY-----"
          attestors:
            - entries:
                - keyless:
                    subject: "*"
                    issuer: "*"