apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-image-signature
spec:
  validationFailureAction: Enforce
  background: false
  rules:
  - name: check-image-signature
    match:
      any:
        - resources:
            kinds: [Pod]
            namespaces: ["cosign-test"]
    verifyImages:
      - imageReferences:
          # - "git.realmanual.ru/pub/*"
          - "*"
        attestors:
          - entries:
              - keys:
                  publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZZ/9MbR3WZg9K/pk936vukFjeWVt
                    2oMpW4OmElpIq1aH3jZIA03Hwm7FVdhyumb1vPu5k0DOV8RX4UIs6rkhzA==
                    -----END PUBLIC KEY-----