What mechanism can I use to block unsigned images from running in my cluster?
A.
Enabling Admission Controllers to validate image signatures.
B.
Using PodSecurityPolicy (PSP) to enforce image signing and validation.
C.
Using Pod Security Standards (PSS) to enforce validation of signatures.
D.
Configuring Container Runtime Interface (CRI) to enforce image signing and validation.
The Answer Is:
A
This question includes an explanation.
Explanation:
KubernetesAdmission Controllers(particularlyValidatingAdmissionWebhooks) can be used to enforce policies that validate image signatures.
This is commonly implemented withtools like Sigstore/cosign, Kyverno, or OPA Gatekeeper.
PodSecurityPolicy (PSP):deprecated and never supported image signature validation.
Pod Security Standards (PSS):only apply to pod security fields (privilege, users, host access), not image signatures.
CRI:while runtimes (containerd, CRI-O) may integrate with signature verification tools, enforcement in Kubernetes is generally done viaAdmission Controllersat the API layer.
Exact extract (Admission Controllers docs):
“Admission webhooks can be used to enforce custom policies on the objects being admitted.” (e.g., validating signatures).