1. Home
  2. /
  3. Resources
  4. /
  5. End-to-End Container Image Signing and Policy Enforcement in Kubernetes

End-to-End Container Image Signing and Policy Enforcement in Kubernetes

hero-sub-3
PKI hierarchies - 1, 2, 3 tiers ?

2026-01-15

As containerized applications move faster through CI/CD pipelines and into Kubernetes, ensuring the integrity and trustworthiness of what you deploy becomes critical. Without cryptographic signing and enforcement, there is no strong guarantee that the artifacts running in your cluster are the same ones that were built, reviewed, and approved. Container image signing, attestations, and policy enforcement are foundational controls for securing the software supply chain and meeting modern security and compliance expectations.

This demo shows how these controls can be implemented in practice using familiar, developer-friendly tools, without slowing down delivery.

Watch video on YouTube

Demo overview

In this demo, Ben Dewberry, Product Owner at Keyfactor, walks through an end-to-end example of container image signing and policy verification using a GitHub Actions CI/CD pipeline and Kubernetes-native policy controls.

The demo starts by building a simple “Hello World” Java application and packaging it as a JAR file. That JAR is cryptographically signed using SignServer, with keys securely backed by an HSM. The signed artifact is then verified before being used to build a container image, ensuring that only trusted artifacts progress through the pipeline.

Next, the container image itself is signed using Cosign and Signum, again leveraging centrally managed, HSM-backed keys. During this step, a software bill of materials (SBOM) is generated and packaged as an attestation, which is stored alongside the image in the container registry. The demo also shows how these signatures and attestations can be verified as part of the pipeline.

Finally, the signed image is deployed to a Kubernetes cluster, where Kyverno (Converno) enforces a policy that only allows images signed by a trusted CA to run. A side-by-side comparison highlights how signed images are admitted, while unsigned images are automatically blocked.

Key takeaways

This demo demonstrates how artifact signing, container signing, attestations, and Kubernetes policy enforcement can work together to protect the software supply chain, from build to runtime. It shows a practical, scalable approach to enforcing trust using cryptography, while integrating seamlessly into existing CI/CD workflows and cloud-native platforms.

Related resources

PKI hierarchies - 1, 2, 3 tiers ?
Implementing Cryptography
Post-Quantum Cryptography
Signing
Tech Update
Ejbca
Signserver
25 November, 2025

#KEYMASTER: The Current State of Composites Signatures and Certificates

In this episode, host Sven Rajala, International PKI Man of Mystery, is joine...
Read more
PKI hierarchies - 1, 2, 3 tiers ?
DevOps
Installation & Deployment
Signing
Tech Update
Ejbca
Signserver
26 March, 2025

#KEYMASTER: Bringing Transparency to Software Supply Chains – A Deep Dive into SLSA

In this #KEYMASTER episode, host Sven Rajala is joined by Fredrik Skogman fro...
Read more

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close