fix: update container base images and Kyverno v3 policy configuration

maryamtahhan · maryamtahhan · commit 438cf00a5e44 · 2026-01-23T13:19:15.000Z
This commit addresses GLIBC compatibility issues and corrects Kyverno Cosign v3 policy configuration for proper image signature verification. Container Updates: - Upgrade gkm-agent and gkm-operator base images from Ubuntu 22.04 to 24.04 to resolve GLIBC 2.38 compatibility issues - Update ROCm repository URL from 'jammy' to 'noble' for Ubuntu 24.04 - Fixes gkm-agent CrashLoopBackOff caused by GLIBC version mismatch Kyverno Policy Updates: - Fix Cosign v3 policy issuer: use GitHub Actions token issuer (https://token.actions.githubusercontent.com) instead of OAuth issuer - Replace specific subject email with regex pattern to match any GitHub workflow (subjectRegExp: "https://github.com/.*") - Aligns with actual signatures generated by GitHub Actions workflows Documentation Updates: - Add new Documentation section to main README with links to config docs - Document gkm.io/signature-format label usage (cosign-v2 and cosign-v3) - Add example showing how to use signature format labels - Update Kyverno v3 policy documentation with correct issuer/subject - Add links to Kyverno and webhook configuration READMEs Example Updates: - Update example files to use correct signature format labels - Ensure consistency across namespace and cluster examples These changes enable successful verification of Cosign v3 bundle format signatures and resolve runtime issues in KIND deployments. Signed-off-by: Maryam Tahhan <mtahhan@redhat.com>
diff --git a/Containerfile.gkm-agent b/Containerfile.gkm-agent
@@ -31,7 +31,7 @@ COPY Makefile Makefile
 RUN make build-gkm-agent
 
 # Use a minimal Ubuntu base image that supports CGO binaries
-FROM public.ecr.aws/docker/library/ubuntu:22.04
+FROM public.ecr.aws/docker/library/ubuntu:24.04
 
 # Copy the binary from the builder
 COPY --from=builder /workspace/bin/gkm-agent /agent
@@ -65,7 +65,7 @@ ARG OPT_ROCM_VERSION=7.0.1
 
 # Conditionally install ROCm packages based on NO_GPU flag
 RUN if [ "$NO_GPU" = "false" ]; then \
-        wget https://repo.radeon.com/amdgpu-install/${ROCM_VERSION}/ubuntu/jammy/amdgpu-install_${AMDGPU_VERSION}-1_all.deb && \
+        wget https://repo.radeon.com/amdgpu-install/${ROCM_VERSION}/ubuntu/noble/amdgpu-install_${AMDGPU_VERSION}-1_all.deb && \
         apt install -y ./*.deb && \
         apt update && DEBIAN_FRONTEND=noninteractive apt install -y amd-smi-lib rocm-smi-lib && \
         apt-get clean && rm -rf /var/lib/apt/lists/* && \
diff --git a/Containerfile.gkm-operator b/Containerfile.gkm-operator
@@ -32,7 +32,7 @@ COPY Makefile Makefile
 RUN make build-gkm-operator
 
 # Use a minimal Ubuntu base image that supports CGO binaries
-FROM public.ecr.aws/docker/library/ubuntu:22.04
+FROM public.ecr.aws/docker/library/ubuntu:24.04
 
 # Copy the binary from the builder
 COPY --from=builder /workspace/bin/gkm-operator /operator
diff --git a/README.md b/README.md
@@ -387,6 +387,40 @@ users.
     <!-- markdownlint-enable  MD013 -->
     <!-- markdownlint-enable  MD033 -->
 
+## Documentation
+
+### Configuration
+
+- [Kyverno Integration](config/kyverno/README.md) - Image signature verification with Kyverno
+- [Webhook Configuration](config/webhook/README.md) - GKM webhook configuration details
+
+### Image Signature Verification
+
+GKM supports image signature verification using Kyverno for namespace-scoped `GKMCache` resources. Use the `gkm.io/signature-format` label to specify the signature format:
+
+- **`gkm.io/signature-format: cosign-v2`** - For images signed with Cosign v2 (legacy `.sig` tag format)
+- **`gkm.io/signature-format: cosign-v3`** - For images signed with Cosign v3 (OCI 1.1 bundle format)
+
+Example:
+
+```yaml
+apiVersion: gkm.io/v1alpha1
+kind: GKMCache
+metadata:
+  name: my-cache
+  namespace: my-namespace
+  labels:
+    gkm.io/signature-format: cosign-v3  # Use cosign-v3 for bundle format
+spec:
+  image: quay.io/example/my-image:tag
+```
+
+For detailed information about image verification, see:
+- [Kyverno Image Verification Guide](docs/examples/kyverno-image-verification.md)
+- [Kyverno Policies Documentation](docs/examples/kyverno-policies.md)
+
+**Note:** `ClusterGKMCache` resources have built-in signature verification and automatically detect both Cosign v2 and v3 formats without requiring labels.
+
 ## Contributing
 
 // TODO(user): Add detailed information on how you would like others to
diff --git a/config/kyverno/policies/gkmcache-policy-v3.yaml b/config/kyverno/policies/gkmcache-policy-v3.yaml
@@ -28,7 +28,7 @@ spec:
             - count: 1
               entries:
                 - keyless:
-                    issuer: https://github.com/login/oauth
-                    subject: mtahhan@redhat.com
+                    issuer: https://token.actions.githubusercontent.com
+                    subjectRegExp: "https://github.com/.*"
                     rekor:
                       url: https://rekor.sigstore.dev
diff --git a/docs/examples/kyverno-image-verification.md b/docs/examples/kyverno-image-verification.md
@@ -219,8 +219,8 @@ spec:
             - count: 1
               entries:
                 - keyless:
-                    issuer: https://github.com/login/oauth
-                    subject: mtahhan@redhat.com
+                    issuer: https://token.actions.githubusercontent.com
+                    subjectRegExp: "https://github.com/.*"
                     rekor:
                       url: https://rekor.sigstore.dev
 ```
@@ -230,8 +230,8 @@ spec:
 - **selector**: Matches resources with label
   `gkm.io/signature-format: cosign-v3`
 - **type**: `SigstoreBundle` for bundle format
-- **issuer**: GitHub OAuth token issuer (different from Actions)
-- **subject**: Specific user email for keyless signing
+- **issuer**: GitHub Actions OIDC token issuer (same as v2)
+- **subjectRegExp**: Matches any GitHub repository workflow
 
 ## How It Works
 
diff --git a/examples/cluster/11-clustergkmcache.yaml b/examples/cluster/11-clustergkmcache.yaml
@@ -2,6 +2,6 @@
 apiVersion: gkm.io/v1alpha1
 kind: ClusterGKMCache
 metadata:
-  name: vector-add-cache-rocm
+  name: vector-add-cache-rocm-v2
 spec:
-  image: quay.io/gkm/cache-examples:vector-add-cache-rocm
+  image: quay.io/gkm/cache-examples:vector-add-cache-rocm-v2
diff --git a/examples/cluster/12-clustergkmcache-cosign-v3.yaml b/examples/cluster/12-clustergkmcache-cosign-v3.yaml
@@ -2,6 +2,6 @@
 apiVersion: gkm.io/v1alpha1
 kind: ClusterGKMCache
 metadata:
-  name: vllm-flash-attention
+  name: vector-add-cache-rocm-v3
 spec:
-  image: quay.io/mtahhan/vllm-flash-attention:rocm
+  image: quay.io/gkm/cache-examples:vector-add-cache-rocm
diff --git a/examples/namespace/11-gkmcache.yaml b/examples/namespace/11-gkmcache.yaml
@@ -2,9 +2,9 @@
 apiVersion: gkm.io/v1alpha1
 kind: GKMCache
 metadata:
-  name: vector-add-cache-rocm-1
+  name: vector-add-cache-rocm-v2
   namespace: gkm-test-ns-scoped-1
   labels:
     gkm.io/signature-format: cosign-v2
 spec:
-  image: quay.io/gkm/cache-examples:vector-add-cache-rocm
+  image: quay.io/gkm/cache-examples:vector-add-cache-rocm-v2
diff --git a/examples/namespace/12-gkmcache-cosign-v3.yaml b/examples/namespace/12-gkmcache-cosign-v3.yaml
@@ -2,9 +2,9 @@
 apiVersion: gkm.io/v1alpha1
 kind: GKMCache
 metadata:
-  name: vllm-flash-attention-1
+  name: vector-add-cache-rocm-v3
   namespace: gkm-test-ns-scoped-1
   labels:
     gkm.io/signature-format: cosign-v3
 spec:
-  image: quay.io/mtahhan/vllm-flash-attention:rocm
+  image: quay.io/gkm/cache-examples:vector-add-cache-rocm
