Chapter 4. Golden Container Images

Pre-reqs

  • app/Dockerfile.base with placeholder digests
  • Cosign keypair (cosign generate-key-pair)
  • Kyverno installed (optional enforcement)

Steps

  1. Pin base image digests (once)

    make pin-digests
# paste the printed digests into app/Dockerfile.base ARGs

  2. Build + secure the golden base

    make golden-image

    This runs:

    • base-build → builds $(IMAGE_REPO):base-$(TAG) and :base-latest
    • base-scan → Trivy → artifacts/trivy-image-base.json
    • base-sbom → Syft → artifacts/sbom-base.json
    • base-sign / base-verify → Cosign bundle → artifacts/sbom-base.bundle, artifacts/cosign-verify-base.txt

  3. (Optional) Enforce org-only images at admission

    make kyverno-apply-allow-org
make kyverno-test-allow-org

    Evidence: artifacts/policy-allow-org-test.txt

Verify

  • Check artifacts exist:

    aaaarrrrttttiiiiffffaaaaccccttttssss////tsscrbboioosvmmiy--g-bbniaa-mssvaeeeg..rejbi-sufbonyand-slbeea.sjes.otnxt

  • Run make evidence (your ZIP now includes the golden artifacts).

Makefile commands

  • One-shot: make golden-image
  • Policy apply/test: make kyverno-apply-allow-org / make kyverno-test-allow-org
  • Optional CI: make ci INCLUDE_GOLDEN=1 KYVERNO_ENFORCE_ORG=1

Checklist

  • Base Dockerfile pinned by digest
  • Golden image built and scanned
  • SBOM generated and signed
  • (Optional) Kyverno org-allow policy applied & tested
  • Evidence ZIP contains base scan/SBOM/signature + policy test