no bundle found in referrers #179

julien-michaud · 2024-09-30T13:17:41Z

Hello 👋

We are signing our docker images with the actions/attest-build-provenance@v1 Action.

We are trying to use the controller from this repository to verify images in our k8s clusters but we are having this issue when submitting new pods:

Error from server (BadRequest): error when creating "pod.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: github-policy: spec.template.spec.containers[0].image europe-docker.pkg.dev/project/company-prod/kube/mp/tiny-developer-tools@sha256:abd5c78061356d3f9b14475a1afd11c68baf6c89c03a036b442ef7d520556fcd no bundle found in referrers

Is the problem on my end ?

snippet of the workflow creating, pushing and signing the image

      - name: Build Docker image
        id: image-results
        if: ${{ !inputs.dry-run }}
        uses: docker/build-push-action@v6
        with:
          context: .
          file: production/kubernetes/marketplace/containers/jre/Dockerfile
          pull: true
          push: true
          platforms: linux/amd64
          tags: ${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}:${{ inputs.version }}
          build-args: |
            MIRAKL_VERSION=${{ inputs.version }}
            EXTRA_PACKAGES=${{ inputs.kubernetes-build-extra-packages }}
            BASE_IMAGE=jre${{ steps.java-major.outputs.JAVA_MAJOR_VERSION }}
            BASE_IMAGE_VERSION=stable

      # attest image
      - uses: actions/attest-build-provenance@v1
        if: ${{ !inputs.dry-run }}
        with:
          subject-digest: ${{steps.image-results.outputs.digest}}
          subject-name: '${{ env.REGISTRY }}/${{ steps.cleaned-artifact-name.outputs.ARTIFACT_CLEANED }}'
          push-to-registry: true

Thanks

probably related to this issue sigstore/policy-controller#1406

The text was updated successfully, but these errors were encountered:

codysoyland · 2024-11-15T19:05:29Z

Hi @julien-michaud! Thank you for the report. I'm sorry for the delayed response. I don't see anything obviously wrong with your configuration, so I'd like to gather a bit more information to assess the problem.

Could you please confirm that you've followed the instructions here to install the latest version of the two helm charts (policy-controller and trust-policies)?

Do you have logs from your GitHub Actions workflow run that indicate that the attestation was successfully pushed to your registry? And can you verify that the image digest in the actions run matches the digest that you are running in Kubernetes?

julien-michaud · 2024-12-03T16:03:26Z

Hi @julien-michaud! Thank you for the report. I'm sorry for the delayed response. I don't see anything obviously wrong with your configuration, so I'd like to gather a bit more information to assess the problem.

Could you please confirm that you've followed the instructions here to install the latest version of the two helm charts (policy-controller and trust-policies)?

Do you have logs from your GitHub Actions workflow run that indicate that the attestation was successfully pushed to your registry? And can you verify that the image digest in the actions run matches the digest that you are running in Kubernetes?

I think I did everything correctly 🤷

Here are the chart installed on my cluster:

  - name: policy-controller
    version: v0.10.0-github9
    repository: "oci://ghcr.io/github/artifact-attestations-helm-charts"
  - name: trust-policies
    version: v0.6.2
    repository: "oci://ghcr.io/github/artifact-attestations-helm-charts"

controller logs when started

{"level":"info","ts":1733239913.8740556,"logger":"fallback","caller":"webhook/main.go:132","msg":"Initializing TUF root from  => https://tuf-repo-cdn.sigstore.dev"}
main.go:149: {
  "gitVersion": "v0.10.0-github9",
  "gitCommit": "cb5e546f5e74cf96c55e4ed8835d6046fbe530b2",
  "gitTreeState": "clean",
  "buildDate": "2024-11-18T21:24:29Z",
  "goVersion": "go1.23.2",
  "compiler": "gc",
  "platform": "linux/amd64"
}
main.go:228: Registering 3 clients
main.go:229: Registering 4 informer factories
main.go:230: Registering 7 informers
main.go:231: Registering 8 controllers
{"level":"debug","ts":"2024-12-03T15:31:54.844Z","caller":"logging/config.go:116","msg":"Successfully created the logger."}
{"level":"debug","ts":"2024-12-03T15:31:54.844Z","caller":"logging/config.go:117","msg":"Logging level set to: debug"}
{"level":"info","ts":"2024-12-03T15:31:54.845Z","logger":"policy-controller","caller":"profiling/server.go:65","msg":"Profiling enabled: false","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:54.851Z","logger":"policy-controller","caller":"leaderelection/context.go:47","msg":"Running with Standard leader election","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.856Z","logger":"policy-controller","caller":"metrics/metrics_worker.go:76","msg":"Flushing the existing exporter before setting up the new exporter.","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.856Z","logger":"policy-controller","caller":"metrics/prometheus_exporter.go:52","msg":"Created Prometheus exporter with config: &{sigstore.dev/policy policy_controller prometheus 5000000000 <nil>  false 9090 0.0.0.0}. Start the server for Prometheus exporter.","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.856Z","logger":"policy-controller","caller":"metrics/metrics_worker.go:91","msg":"Successfully updated the metrics exporter; old config: <nil>; new config &{sigstore.dev/policy policy_controller prometheus 5000000000 <nil>  false 9090 0.0.0.0}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.856Z","logger":"policy-controller","caller":"trustroot/controller.go:147","msg":"Creating event broadcaster","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.856Z","logger":"policy-controller","caller":"clusterimagepolicy/controller.go:147","msg":"Creating event broadcaster","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:54.876Z","logger":"policy-controller","caller":"sharedmain/main.go:283","msg":"Starting configuration manager...","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.881Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-image-policies\" config was added or updated: &config.ImagePolicyConfig{Policies:map[string]clusterimagepolicy.ClusterImagePolicy{\"github-policy\":clusterimagepolicy.ClusterImagePolicy{UID:\"35015969-c2cc-4758-8d3c-7ddcf5c62702\", ResourceVersion:\"796349067\", Images:[]v1alpha1.ImagePattern{v1alpha1.ImagePattern{Glob:\"**\"}}, Authorities:[]clusterimagepolicy.Authority{clusterimagepolicy.Authority{Name:\"github\", Key:(*clusterimagepolicy.KeyRef)(nil), Keyless:(*clusterimagepolicy.KeylessRef)(0xc000293740), Static:(*clusterimagepolicy.StaticRef)(nil), Sources:[]v1alpha1.Source(nil), CTLog:(*v1alpha1.TLog)(nil), RemoteOpts:[]remote.Option(nil), Attestations:[]clusterimagepolicy.AttestationPolicy{clusterimagepolicy.AttestationPolicy{Name:\"require-attestation\", PredicateType:\"https://slsa.dev/provenance/v1\", Type:\"\", Data:\"\", FetchConfigFile:(*bool)(nil), IncludeSpec:(*bool)(nil), IncludeObjectMeta:(*bool)(nil), IncludeTypeMeta:(*bool)(nil)}}, RFC3161Timestamp:(*clusterimagepolicy.RFC3161Timestamp)(0xc00060b790), SignatureFormat:\"bundle\"}}, Policy:(*clusterimagepolicy.AttestationPolicy)(nil), Mode:\"enforce\", Match:[]v1alpha1.MatchResource(nil)}}}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.881Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-image-policies\" config was added or updated: &config.ImagePolicyConfig{Policies:map[string]clusterimagepolicy.ClusterImagePolicy{\"github-policy\":clusterimagepolicy.ClusterImagePolicy{UID:\"35015969-c2cc-4758-8d3c-7ddcf5c62702\", ResourceVersion:\"796349067\", Images:[]v1alpha1.ImagePattern{v1alpha1.ImagePattern{Glob:\"**\"}}, Authorities:[]clusterimagepolicy.Authority{clusterimagepolicy.Authority{Name:\"github\", Key:(*clusterimagepolicy.KeyRef)(nil), Keyless:(*clusterimagepolicy.KeylessRef)(0xc000754000), Static:(*clusterimagepolicy.StaticRef)(nil), Sources:[]v1alpha1.Source(nil), CTLog:(*v1alpha1.TLog)(nil), RemoteOpts:[]remote.Option(nil), Attestations:[]clusterimagepolicy.AttestationPolicy{clusterimagepolicy.AttestationPolicy{Name:\"require-attestation\", PredicateType:\"https://slsa.dev/provenance/v1\", Type:\"\", Data:\"\", FetchConfigFile:(*bool)(nil), IncludeSpec:(*bool)(nil), IncludeObjectMeta:(*bool)(nil), IncludeTypeMeta:(*bool)(nil)}}, RFC3161Timestamp:(*clusterimagepolicy.RFC3161Timestamp)(0xc000520720), SignatureFormat:\"bundle\"}}, Policy:(*clusterimagepolicy.AttestationPolicy)(nil), Mode:\"enforce\", Match:[]v1alpha1.MatchResource(nil)}}}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.881Z","logger":"policy-controller.config-policy-controller","caller":"configmap/store.go:155","msg":"config-policy-controller config \"config-policy-controller\" config was added or updated: &config.PolicyControllerConfig{NoMatchPolicy:\"deny\", FailOnEmptyAuthorities:true}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.881Z","logger":"policy-controller.config-policy-controller","caller":"configmap/store.go:155","msg":"config-policy-controller config \"config-policy-controller\" config was added or updated: &config.PolicyControllerConfig{NoMatchPolicy:\"deny\", FailOnEmptyAuthorities:true}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.882Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-sigstore-keys\" config was added or updated: &config.SigstoreKeysMap{SigstoreKeys:map[string]*v1.TrustedRoot{\"github\":(*v1.TrustedRoot)(0xc000524a00)}}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:54.883Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-sigstore-keys\" config was added or updated: &config.SigstoreKeysMap{SigstoreKeys:map[string]*v1.TrustedRoot{\"github\":(*v1.TrustedRoot)(0xc0005a0780)}}","commit":"cb5e546"}
{"level":"info","ts":1733239914.9770317,"logger":"fallback","caller":"injection/injection.go:63","msg":"Starting informers..."}
{"level":"debug","ts":"2024-12-03T15:31:54.984Z","logger":"policy-controller","caller":"controller/controller.go:420","msg":"Adding to queue github-policy (depth: 1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy","knative.dev/key":"/github-policy"}
{"level":"debug","ts":"2024-12-03T15:31:55.066Z","logger":"policy-controller","caller":"controller/controller.go:420","msg":"Adding to queue github (depth: 1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/key":"/github"}
{"level":"info","ts":"2024-12-03T15:31:55.066Z","logger":"policy-controller","caller":"clusterimagepolicy/controller.go:102","msg":"Doing a global resync on ClusterImagePolicies due to ConfigMap changing or resync period.","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:55.066Z","logger":"policy-controller","caller":"controller/controller.go:289","msg":"Adding to the slow queue github-policy (depth(total/slow): 2/1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy","knative.dev/key":"/github-policy"}
{"level":"info","ts":"2024-12-03T15:31:55.066Z","logger":"policy-controller","caller":"trustroot/controller.go:67","msg":"Doing a global resync on TrustRoot due to ConfigMap changing or resync period.","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller","caller":"controller/controller.go:289","msg":"Adding to the slow queue github (depth(total/slow): 2/1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/key":"/github"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue defaulting.clusterimagepolicy.sigstore.dev (depth: 1)","commit":"cb5e546","knative.dev/key":"/defaulting.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue sigstore-policy-controller/webhook-certs (depth: 2)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:420","msg":"Adding to queue clusterimagepolicies.policy.sigstore.dev (depth: 1)","commit":"cb5e546","knative.dev/key":"/clusterimagepolicies.policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:31:55.067Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:420","msg":"Adding to queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:31:55.068Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue policy.sigstore.dev (depth: 2)","commit":"cb5e546","knative.dev/key":"/policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:31:55.068Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue policy.sigstore.dev (depth: 2)","commit":"cb5e546","knative.dev/key":"/policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:31:55.068Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:420","msg":"Adding to queue validating.clusterimagepolicy.sigstore.dev (depth: 2)","commit":"cb5e546","knative.dev/key":"/validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:31:57.781Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:420","msg":"Adding to queue clusterimagepolicies.policy.sigstore.dev (depth: 2)","commit":"cb5e546","knative.dev/key":"/clusterimagepolicies.policy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller","caller":"webhook/webhook.go:218","msg":"Informers have been synced, unblocking admission webhooks.","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller","caller":"sharedmain/main.go:311","msg":"Starting controllers...","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller","caller":"injection/health_check.go:43","msg":"Probes server listening on port 8080","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.resource-conversion.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_eb3746f9-59f7-4752-93f8-ec9999abbf3b\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.877Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:513","msg":"Processing from queue clusterimagepolicies.policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.webhookcertificates.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_b83caa3a-1055-4a99-b482-c86fb9e8ce1d\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.policy.sigstore.dev-validating.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_9f18284b-be3b-4050-a98f-736156772cab\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.policy.sigstore.dev-mutating.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_d832541a-2d41-45d4-9c52-4dbae21dabfd\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.trustroot.reconciler.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_b743c6e0-5ef6-40bb-ae0f-33eb304ce792\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:513","msg":"Processing from queue github (depth: 0)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.reconciler.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_4a8df2cb-fe92-4141-860d-6de3d052ee1f\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"controller/controller.go:513","msg":"Processing from queue github-policy (depth: 0)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.validating.clusterimagepolicy.sigstore.dev.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_e1867003-f525-4973-a6ce-a1bb3eecadd5\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 1)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.878Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue validating.clusterimagepolicy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.879Z","logger":"policy-controller","caller":"leaderelection/context.go:149","msg":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev.00-of-01 will run in leader-elected mode with id \"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_c50414f6-5408-4993-b7ce-62398fa992cb\"","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.879Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:486","msg":"Starting controller and workers","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:31:57.879Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:496","msg":"Started workers","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.879Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue defaulting.clusterimagepolicy.sigstore.dev (depth: 1)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:31:57.879Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 0)","commit":"cb5e546"}
I1203 15:31:57.879191       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.resource-conversion.00-of-01...
I1203 15:31:57.879627       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.webhookcertificates.00-of-01...
I1203 15:31:57.879798       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.policy.sigstore.dev-validating.00-of-01...
I1203 15:31:57.879995       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.policy.sigstore.dev-mutating.00-of-01...
I1203 15:31:57.880164       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.trustroot.reconciler.00-of-01...
I1203 15:31:57.880304       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.reconciler.00-of-01...
I1203 15:31:57.880464       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.validating.clusterimagepolicy.sigstore.dev.00-of-01...
I1203 15:31:57.880610       1 leaderelection.go:254] attempting to acquire leader lease sigstore-policy-controller/policy-controller.defaulting.clusterimagepolicy.sigstore.dev.00-of-01...
I1203 15:32:15.588183       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.trustroot.reconciler.00-of-01
{"level":"info","ts":"2024-12-03T15:32:15.588Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_b743c6e0-5ef6-40bb-ae0f-33eb304ce792\" has started leading \"policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.trustroot.reconciler.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:15.588Z","logger":"policy-controller","caller":"controller/controller.go:289","msg":"Adding to the slow queue github (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/key":"/github"}
{"level":"debug","ts":"2024-12-03T15:32:15.588Z","logger":"policy-controller","caller":"controller/controller.go:513","msg":"Processing from queue github (depth: 0)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot"}
{"level":"debug","ts":"2024-12-03T15:32:16.339Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-sigstore-keys\" config was added or updated: &config.SigstoreKeysMap{SigstoreKeys:map[string]*v1.TrustedRoot{\"github\":(*v1.TrustedRoot)(0xc00498c500)}}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:16.340Z","logger":"policy-controller.config-store","caller":"configmap/store.go:155","msg":"image-policies config \"config-sigstore-keys\" config was added or updated: &config.SigstoreKeysMap{SigstoreKeys:map[string]*v1.TrustedRoot{\"github\":(*v1.TrustedRoot)(0xc00498ca00)}}","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:32:16.341Z","logger":"policy-controller","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/traceid":"61fb5e25-6663-40a2-9f9f-d11077ba82d3","knative.dev/key":"github","duration":0.752435323}
{"level":"info","ts":"2024-12-03T15:32:16.342Z","logger":"policy-controller","caller":"trustroot/controller.go:67","msg":"Doing a global resync on TrustRoot due to ConfigMap changing or resync period.","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:16.342Z","logger":"policy-controller","caller":"controller/controller.go:289","msg":"Adding to the slow queue github (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/key":"/github"}
{"level":"debug","ts":"2024-12-03T15:32:16.342Z","logger":"policy-controller","caller":"controller/controller.go:513","msg":"Processing from queue github (depth: 0)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot"}
{"level":"info","ts":"2024-12-03T15:32:16.405Z","logger":"policy-controller","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.trustroot.Reconciler","knative.dev/kind":"policy.sigstore.dev.TrustRoot","knative.dev/traceid":"f88ddb2d-8947-470d-a269-814bd73606e1","knative.dev/key":"github","duration":0.062456245}
I1203 15:32:16.622338       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.defaulting.clusterimagepolicy.sigstore.dev.00-of-01
{"level":"info","ts":"2024-12-03T15:32:16.622Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_c50414f6-5408-4993-b7ce-62398fa992cb\" has started leading \"policy-controller.defaulting.clusterimagepolicy.sigstore.dev.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:16.622Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:289","msg":"Adding to the slow queue defaulting.clusterimagepolicy.sigstore.dev (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"/defaulting.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:16.622Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue defaulting.clusterimagepolicy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:32:16.646Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"defaulting/defaulting.go:255","msg":"Updating webhook","commit":"cb5e546","knative.dev/traceid":"c526200a-e36e-4e30-9246-86193151275e","knative.dev/key":"defaulting.clusterimagepolicy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:16.657Z","logger":"policy-controller.defaulting.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"c526200a-e36e-4e30-9246-86193151275e","knative.dev/key":"defaulting.clusterimagepolicy.sigstore.dev","duration":0.034889137}
I1203 15:32:17.689414       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.resource-conversion.00-of-01
{"level":"info","ts":"2024-12-03T15:32:17.689Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_eb3746f9-59f7-4752-93f8-ec9999abbf3b\" has started leading \"policy-controller.resource-conversion.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:17.689Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:289","msg":"Adding to the slow queue clusterimagepolicies.policy.sigstore.dev (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"/clusterimagepolicies.policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:17.689Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:513","msg":"Processing from queue clusterimagepolicies.policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:32:17.699Z","logger":"policy-controller.resource-conversion","caller":"conversion/reconciler.go:115","msg":"CRD is up to date","commit":"cb5e546","knative.dev/traceid":"e102cb2f-3170-4b84-902e-74c4370c528c","knative.dev/key":"clusterimagepolicies.policy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:17.699Z","logger":"policy-controller.resource-conversion","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"e102cb2f-3170-4b84-902e-74c4370c528c","knative.dev/key":"clusterimagepolicies.policy.sigstore.dev","duration":0.00925527}
I1203 15:32:18.642892       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.reconciler.00-of-01
{"level":"info","ts":"2024-12-03T15:32:18.643Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_4a8df2cb-fe92-4141-860d-6de3d052ee1f\" has started leading \"policy-controller.github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.reconciler.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:18.643Z","logger":"policy-controller","caller":"controller/controller.go:289","msg":"Adding to the slow queue github-policy (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy","knative.dev/key":"/github-policy"}
{"level":"debug","ts":"2024-12-03T15:32:18.643Z","logger":"policy-controller","caller":"controller/controller.go:513","msg":"Processing from queue github-policy (depth: 0)","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy"}
{"level":"info","ts":"2024-12-03T15:32:18.643Z","logger":"policy-controller","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/controller":"github.com.sigstore.policy-controller.pkg.reconciler.clusterimagepolicy.Reconciler","knative.dev/kind":"policy.sigstore.dev.ClusterImagePolicy","knative.dev/traceid":"a16ecfb2-c2db-457c-8257-0f9e595e273f","knative.dev/key":"github-policy","duration":0.00022302}
I1203 15:32:26.250122       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.policy.sigstore.dev-mutating.00-of-01
{"level":"info","ts":"2024-12-03T15:32:26.250Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_d832541a-2d41-45d4-9c52-4dbae21dabfd\" has started leading \"policy-controller.policy.sigstore.dev-mutating.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:26.250Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:289","msg":"Adding to the slow queue policy.sigstore.dev (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"/policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.250Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:32:26.264Z","logger":"policy-controller.policy.sigstore.dev","caller":"defaulting/defaulting.go:255","msg":"Updating webhook","commit":"cb5e546","knative.dev/traceid":"dca217cb-4446-4676-861d-5136ea93586a","knative.dev/key":"policy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:26.282Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"dca217cb-4446-4676-861d-5136ea93586a","knative.dev/key":"policy.sigstore.dev","duration":0.031965647}
I1203 15:32:26.917970       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.validating.clusterimagepolicy.sigstore.dev.00-of-01
{"level":"info","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_e1867003-f525-4973-a6ce-a1bb3eecadd5\" has started leading \"policy-controller.validating.clusterimagepolicy.sigstore.dev.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:289","msg":"Adding to the slow queue validating.clusterimagepolicy.sigstore.dev (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"/validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue validating.clusterimagepolicy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE DELETE]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [clusterimagepolicies clusterimagepolicies/status]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE DELETE]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [trustroots trustroots/status]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE DELETE]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [clusterimagepolicies clusterimagepolicies/status]","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE DELETE] Rule:{APIGroups:[policy.sigstore.dev] APIVersions:[v1alpha1] Resources:[clusterimagepolicies clusterimagepolicies/status] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE DELETE] Rule:{APIGroups:[policy.sigstore.dev] APIVersions:[v1alpha1] Resources:[trustroots trustroots/status] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:26.918Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE DELETE] Rule:{APIGroups:[policy.sigstore.dev] APIVersions:[v1beta1] Resources:[clusterimagepolicies clusterimagepolicies/status] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:26.930Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"validation/reconcile_config.go:228","msg":"Updating webhook","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:26.941Z","logger":"policy-controller.validating.clusterimagepolicy.sigstore.dev","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"b2c9a446-83cd-4fd1-b746-5e40ee18ec0b","knative.dev/key":"validating.clusterimagepolicy.sigstore.dev","duration":0.023385439}
I1203 15:32:31.072156       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.policy.sigstore.dev-validating.00-of-01
{"level":"info","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_9f18284b-be3b-4050-a98f-736156772cab\" has started leading \"policy-controller.policy.sigstore.dev-validating.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:289","msg":"Adding to the slow queue policy.sigstore.dev (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"/policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:513","msg":"Processing from queue policy.sigstore.dev (depth: 0)","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [replicasets]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [deployments]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.072Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [statefulsets]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [daemonsets]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [jobs]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [cronjobs]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [cronjobs]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:116","msg":"Using custom Verbs","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:119","msg":"Registering verbs: [CREATE UPDATE]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:125","msg":"Using custom SubResources","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:137","msg":"Registering SubResources: [pods/ephemeralcontainers pods]","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[apps] APIVersions:[v1] Resources:[replicasets] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[apps] APIVersions:[v1] Resources:[deployments] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[apps] APIVersions:[v1] Resources:[statefulsets] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[apps] APIVersions:[v1] Resources:[daemonsets] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[batch] APIVersions:[v1] Resources:[jobs] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[batch] APIVersions:[v1] Resources:[cronjobs] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[batch] APIVersions:[v1beta1] Resources:[cronjobs] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"debug","ts":"2024-12-03T15:32:31.073Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:172","msg":"Rule: {Operations:[CREATE UPDATE] Rule:{APIGroups:[] APIVersions:[v1] Resources:[pods/ephemeralcontainers pods] Scope:<nil>}}","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:31.085Z","logger":"policy-controller.policy.sigstore.dev","caller":"validation/reconcile_config.go:228","msg":"Updating webhook","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev"}
{"level":"info","ts":"2024-12-03T15:32:31.093Z","logger":"policy-controller.policy.sigstore.dev","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"1f226cab-1bf6-4475-ad8e-e9223124765d","knative.dev/key":"policy.sigstore.dev","duration":0.020483659}
I1203 15:32:32.198936       1 leaderelection.go:268] successfully acquired lease sigstore-policy-controller/policy-controller.webhookcertificates.00-of-01
{"level":"info","ts":"2024-12-03T15:32:32.199Z","logger":"policy-controller","caller":"leaderelection/context.go:158","msg":"\"sigstore-policy-controller-webhook-65fb98ddd4-s2s54_b83caa3a-1055-4a99-b482-c86fb9e8ce1d\" has started leading \"policy-controller.webhookcertificates.00-of-01\"","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:32:32.199Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:289","msg":"Adding to the slow queue sigstore-policy-controller/webhook-certs (depth(total/slow): 1/1)","commit":"cb5e546","knative.dev/key":"sigstore-policy-controller/webhook-certs"}
{"level":"debug","ts":"2024-12-03T15:32:32.199Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:513","msg":"Processing from queue sigstore-policy-controller/webhook-certs (depth: 0)","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:32:32.199Z","logger":"policy-controller.WebhookCertificates","caller":"controller/controller.go:550","msg":"Reconcile succeeded","commit":"cb5e546","knative.dev/traceid":"1466d829-c7db-4cec-bb3e-a559883e87bf","knative.dev/key":"sigst

The trustroot object installed:

apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  annotations:
  creationTimestamp: '2024-09-27T13:59:27Z'
  finalizers:
    - trustroots.policy.sigstore.dev
  generation: 1
  name: github
  resourceVersion: '791951616'
  uid: 93cce2f7-6c5a-4721-bf24-0dbb4b69bc35
spec:
  remote:
    mirror: https://tuf-repo.github.com/
    root: >-
      ewogInNpZ25hdHVyZXMiOiBbCiAgewogICAia2V5aWQiOiAiNGY0ZDFkZDc1ZjJkN2YzODYwZTNhMDY4ZDdiZWQ5MGRlYzVmMGZhYWZjYmUxYWNlN2ZiN2Q5NWQyOWUwNzIyOCIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiZWI4ZWZmMzdmOTNhZjJmYWFiYTUxOWYzNDFkZWNlYzNjZWNkM2VlYWZjYWNlMzI5NjZkYjk3MjM4NDJjOGE2MiIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSIsCiAgICJzaWciOiAiIgogIH0sCiAgewogICAia2V5aWQiOiAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICJzaWciOiAiMzA0NjAyMjEwMGNhMzQxZDNiYTJlZjc2NTdkNjljMjgyNTcyOTk1OTY4MWY1NWFlYzQ5N2I2MTJlODFhNTQ3ZTJhYmI2MTZiNDkwMjIxMDBjZDYwNWI0MTJhM2Q5OTFmOTJlMDgxOGUwN2U2MDM4M2JiZDIzOTA0NzIzZWVjMjIxZDZlMzlmZGZlYWUzMTA0IgogIH0sCiAgewogICAia2V5aWQiOiAiNWUwMWM5YTBiMjY0MWE4OTY1YTRhNzRlN2RmMGJjN2IyZDgyNzhhMmMzY2EwY2Y3YTNmMmY3ODNkM2M2OTgwMCIsCiAgICJzaWciOiAiMzA0NjAyMjEwMGQwZjcwZWZmZTYwZDZhMTgzMTllMjg5MDA4OGNkMDFkNDVjNjU0ZWU2ZDJjZTFkNWMzY2RjZjJkYzdmNjM3NTcwMjIxMDA4Zjk0N2EyZDczMzRkOTQ4ZjFjNDc5NGIwYTQ2NWYxZGZiOTlhNTc4ZGQ4ZDFmNDU2M2NlZTA1ODFmNDU3ZGIyIgogIH0sCiAgewogICAia2V5aWQiOiAiNTQ4MDkxMTViNDAxMzdhYWMwMWFmNGI3YWMyNDA4Yzc3ZWEwZDU4ZmE0ZGFkNDhmYzMxOTY0OTdkMmEyNmY0NCIsCiAgICJzaWciOiAiMzA0NTAyMjAxYWU5MzFkYjFjNDgwMjBmYjM3YWY1NGQ0NDZhYzg1NjMwNmY2MTlkZmMzZjkzZGRjZmY3MGQyODgwZTQ0M2RjMDIyMTAwOTkyYjcwNDUxYWE3NDgwNWFkZWYyNGU4NWVjMzUyZTU5ODgxMjI2N2Y2MjM5NzliZDRjZTcxOWI2NmI2MmQyMiIKICB9LAogIHsKICAgImtleWlkIjogIjg4NzM3Y2NkYWM3YjQ5Y2MyMzdlOWFhZWFkODFiZTJhNDAyNzhiODg2YTY5M2Q4MTQ5YTE5Y2Y1NDNmMDkzZDMiLAogICAic2lnIjogIjMwNDUwMjIwMjNiYmE4ZTE0YzE3NzYwOWY0Mzg3M2FhMDA4N2VmOTgzZGRkMmJhZDlhMGE4MzJjMGNmMjc5ZTFiZTg3OThmMjAyMjEwMGZhY2ZhZWNjMWQ3ZWU3OTMwNDJlYWFhNjk3MGZiOWNhNzAwYzNiZGJmNGVlNDNlZDBmOGQwZmMzYWVmOTY1NjMiCiAgfSwKICB7CiAgICJrZXlpZCI6ICJkNmE4OWUyM2ZiMjI4MDFhMGQxMTg2YmYxYmRkMDA3ZTIyOGY2NWE4YWE5OTY0ZDI0ZDA2Y2I1ZmJiMGNlOTFjIiwKICAgInNpZyI6ICIzMDQ2MDIyMTAwZDJmNmNjZWIwNWQxMzVjZTZhNmNlN2ZlMWRjNzZjMjQ1MDgxNTRhZDcxYzQzMzAyOGU2NGNhOTViYTcxNmZmYjAyMjEwMGYwNTkyZDYwZWI2NzUwOGRkNWY5Y2M1OTNhNGNjYTMzYmJhZjk0ODgyYzNkNzRhNTYwZmRhODQ1YTQ1NmM2Y2MiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgInNpZyI6ICIzMDQ1MDIyMTAwOWFmMmYwYzUzNGVkOTJkZTkwOWEzYjcyN2Y3MTAxMzE5YzE4ZTEwNjIzZGU4ZjQ4YTBlYmE5ODBkM2Q1NGQ4MzAyMjAwOTU4NDJiMTZjNTg1NjdjNzFmOWRmYTBiNTRlNzlkYWNhMWIyZmVjZjNjYjJlYTRlZTZkODM5M2JkZjkzMjk0IgogIH0KIF0sCiAic2lnbmVkIjogewogICJfdHlwZSI6ICJyb290IiwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUsCiAgImV4cGlyZXMiOiAiMjAyNS0wNC0xMVQxNDozNjo1N1oiLAogICJrZXlzIjogewogICAiNGY0ZDFkZDc1ZjJkN2YzODYwZTNhMDY4ZDdiZWQ5MGRlYzVmMGZhYWZjYmUxYWNlN2ZiN2Q5NWQyOWUwNzIyOCI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFTmtpN2FaVmlwczVTZ1J6Q2QvT20wQ0d6UUtZL1xubnY4NGdpcVZEbWR3YjJ5czgyWjZzb0ZMYXN2WVlFRVFjd3FhQzE3MG45Z3I5M3dIVWdQYzc5NnVKQT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBhc2h0b20iCiAgIH0sCiAgICI1MzlkZGU0NDAxNGM4NTBmZTZlZWI4YjI5OWViN2RhZTJlMWY0YmY4MzQ1NGI5NDllOThhYTczNTQyY2RjNjVhIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVsRDBvMnNPWk45bjNSS1E3UHRNTEFvWGorMkFpXG5uNFBLVC9wZm56RGxOTHJEM1ZUUXdDYzRzUjR0K09MdTRLUStxaytrWGtSOVl1QnN1M2JkSloxT1d3PT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2kta2V5b3duZXIiOiAiQG5lcmRuZWhhIgogICB9LAogICAiNTQ4MDkxMTViNDAxMzdhYWMwMWFmNGI3YWMyNDA4Yzc3ZWEwZDU4ZmE0ZGFkNDhmYzMxOTY0OTdkMmEyNmY0NCI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFaW1LY2RTVCtPUkQrZzBhR0VGRE9WWkRBYUlZZ1xuSWdlc05LaUllMkw3TVVzWXg1VUhoelEwOHF1dmV3MTNlWVNDTkpuZndvb0ZadTdjZFR1OEF3cUZqUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBhbGV4aXN3YWxlcyIKICAgfSwKICAgIjg4NzM3Y2NkYWM3YjQ5Y2MyMzdlOWFhZWFkODFiZTJhNDAyNzhiODg2YTY5M2Q4MTQ5YTE5Y2Y1NDNmMDkzZDMiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUJhZ2tza05PcE9UYmV0VFg1Q2Rudk15K0xpV25cbm9uUnJOcnFBSEw0V2dpZWJIN1VpZzdHTGhDM2JrZUEvcWdiOTI2L3ZyOXFoT1BHOUJ1ajJIYXRyUHc9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAZ3JlZ29zZSIKICAgfSwKICAgIjhiNDk4YTgwYTFiN2FmMTg4YzEwYzlhYmRmNmFhZGU4MWQxNGZhYWZmY2RlMmFiY2Q2MDYzYmFhNjczZWJkMTIiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTdJRW9WTndycHJjaFhHaFQ1c0FoU2F4N1NPZDNcbjhkdXVJU2doQ3pmbUhkS0pXU2JWMndKUmFtUmlVVlJ0bUE4M0svcW01Y1QyMFdYTUNUNVFlTS9EM0E9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAdHJldnJvc2VuIgogICB9LAogICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQzJ3SjN4c2N5WHhCTHliSjlGVmp3a3lRTWU1M1xuUkhVejc3QWpNTzhNelZhVDh4dzZadkpxZE5aaXl0WXRpZ1dVTGxJTnh3NmZyTnNXSktiL2Y3bEM4QT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBrb21tZW5kb3JrYXB0ZW4iCiAgIH0sCiAgICJkNmE4OWUyM2ZiMjI4MDFhMGQxMTg2YmYxYmRkMDA3ZTIyOGY2NWE4YWE5OTY0ZDI0ZDA2Y2I1ZmJiMGNlOTFjIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVEZE9Sd2NydVczZ3FBZ2FMakgvbk5kR01CNGtRXG5BdkErd0Q2RHlPNFAvd1I4ZWUyY2U4M05aSHExWkFES2h2ZTBybFlLYUt5M0NxeVE1U21sWjM2Wmh3PT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2kta2V5b3duZXIiOiAiQGtydWtvdyIKICAgfSwKICAgImViOGVmZjM3ZjkzYWYyZmFhYmE1MTlmMzQxZGVjZWMzY2VjZDNlZWFmY2FjZTMyOTY2ZGI5NzIzODQyYzhhNjIiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU55blZkUW5NOWg3eFU3MUc3UGlKcFFhRGVtdWJcbmtianNqWXdMbFBKVFFWdXhRTzhXZUlwSmY4TUVoNXJmMDF0MmRESXVDc1o1Z1J4K1F2RHYwVXpmc0E9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAbXBoNCIKICAgfSwKICAgImViOTc5OWI0ODNhZmZhYzlkYTg3ZWY0YzllYTQ2NzkyODQxNWM5NjEzNDllNjA3ZTVlNmU0ODU2NzliMDdmOGYiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5LTmNOY1grZDczbFMxVFJGYjlWbnA4SnZPb2hcbnpZUStpbjQzaUdlbmJHOFJHbzlMLzZGSjJob1JiVlU2eHNrdnl1RXJjZFBiQ2RJNEd4clE1aThoa3c9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1vbmxpbmUtdXJpIjogImF6dXJla21zOi8vcHJvZHVjdGlvbi10dWYtcm9vdC52YXVsdC5henVyZS5uZXQva2V5cy9PbmxpbmUtS2V5L2FhZjM3NWZkOGVkMjRhY2I5NDlhNWNjMTczNzAwYjA1IgogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiLAogICAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgICAiZDZhODllMjNmYjIyODAxYTBkMTE4NmJmMWJkZDAwN2UyMjhmNjVhOGFhOTk2NGQyNGQwNmNiNWZiYjBjZTkxYyIsCiAgICAgImViOGVmZjM3ZjkzYWYyZmFhYmE1MTlmMzQxZGVjZWMzY2VjZDNlZWFmY2FjZTMyOTY2ZGI5NzIzODQyYzhhNjIiLAogICAgICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgICAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSIsCiAgICAgIjU0ODA5MTE1YjQwMTM3YWFjMDFhZjRiN2FjMjQwOGM3N2VhMGQ1OGZhNGRhZDQ4ZmMzMTk2NDk3ZDJhMjZmNDQiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDMKICAgfSwKICAgInNuYXBzaG90IjogewogICAgImtleWlkcyI6IFsKICAgICAiZWI5Nzk5YjQ4M2FmZmFjOWRhODdlZjRjOWVhNDY3OTI4NDE1Yzk2MTM0OWU2MDdlNWU2ZTQ4NTY3OWIwN2Y4ZiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMSwKICAgICJ4LXR1Zi1vbi1jaS1leHBpcnktcGVyaW9kIjogMjEsCiAgICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA3CiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiLAogICAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgICAiZDZhODllMjNmYjIyODAxYTBkMTE4NmJmMWJkZDAwN2UyMjhmNjVhOGFhOTk2NGQyNGQwNmNiNWZiYjBjZTkxYyIsCiAgICAgImViOGVmZjM3ZjkzYWYyZmFhYmE1MTlmMzQxZGVjZWMzY2VjZDNlZWFmY2FjZTMyOTY2ZGI5NzIzODQyYzhhNjIiLAogICAgICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgICAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSIsCiAgICAgIjU0ODA5MTE1YjQwMTM3YWFjMDFhZjRiN2FjMjQwOGM3N2VhMGQ1OGZhNGRhZDQ4ZmMzMTk2NDk3ZDJhMjZmNDQiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDMKICAgfSwKICAgInRpbWVzdGFtcCI6IHsKICAgICJrZXlpZHMiOiBbCiAgICAgImViOTc5OWI0ODNhZmZhYzlkYTg3ZWY0YzllYTQ2NzkyODQxNWM5NjEzNDllNjA3ZTVlNmU0ODU2NzliMDdmOGYiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDEsCiAgICAieC10dWYtb24tY2ktZXhwaXJ5LXBlcmlvZCI6IDcsCiAgICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA2CiAgIH0KICB9LAogICJzcGVjX3ZlcnNpb24iOiAiMS4wLjMxIiwKICAidmVyc2lvbiI6IDMsCiAgIngtdHVmLW9uLWNpLWV4cGlyeS1wZXJpb2QiOiAyNDAsCiAgIngtdHVmLW9uLWNpLXNpZ25pbmctcGVyaW9kIjogNjAKIH0KfQ==
status:
  conditions:
    - lastTransitionTime: '2024-09-27T14:34:58Z'
      status: 'True'
      type: ConfigMapUpdated
    - lastTransitionTime: '2024-09-27T14:34:58Z'
      status: 'True'
      type: KeysInlined
    - lastTransitionTime: '2024-09-27T14:34:58Z'
      status: 'True'
      type: Ready
  observedGeneration: 1

the cluster image policy:

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  annotations:
  creationTimestamp: '2024-09-27T14:58:28Z'
  finalizers:
    - clusterimagepolicies.policy.sigstore.dev
  generation: 6
  name: github-policy
  resourceVersion: '899393500'
  uid: 35015969-c2cc-4758-8d3c-7ddcf5c62702
spec:
  authorities:
    - attestations:
        - name: require-attestation
          predicateType: https://slsa.dev/provenance/v1
      keyless:
        identities:
          - issuer: https://token.actions.githubusercontent.com
            subjectRegExp: https://github.com/company/.*/\.github/workflows/.*
        trustRootRef: github
        url: https://fulcio.githubapp.com
      name: github
      rfc3161timestamp:
        trustRootRef: github
      signatureFormat: bundle
  images:
    - glob: europe-docker.pkg.dev/platform-stuff/company-prod/**
  mode: enforce

the attestation created by the reusable workflow

Attestation Created
[europe-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343](https://github.com/company/app-calliope/attestations/3585848)

controller logs when trying to create a pod:

{"level":"info","ts":"2024-12-03T15:50:36.628Z","logger":"policy-controller","caller":"webhook/conversion.go:45","msg":"Webhook ServeHTTP request=&http.Request{Method:\"POST\", URL:(*url.URL)(0xc005d44cf0), Proto:\"HTTP/1.1\", ProtoMajor:1, ProtoMinor:1, Header:http.Header{\"Accept\":[]string{\"application/json, */*\"}, \"Accept-Encoding\":[]string{\"gzip\"}, \"Content-Length\":[]string{\"3567\"}, \"Content-Type\":[]string{\"application/json\"}, \"User-Agent\":[]string{\"kube-apiserver-admission\"}}, Body:(*http.body)(0xc004bbbcc0), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3567, TransferEncoding:[]string(nil), Close:false, Host:\"webhook.sigstore-policy-controller.svc:443\", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:\"10.73.1.30:35410\", RequestURI:\"/resource-conversion?timeout=30s\", TLS:(*tls.ConnectionState)(0xc004552780), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:\"/resource-conversion\", ctx:(*context.cancelCtx)(0xc004c0a370), pat:(*http.pattern)(0xc0005ff200), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:57:14.288Z","logger":"policy-controller","caller":"webhook/conversion.go:45","msg":"Webhook ServeHTTP request=&http.Request{Method:\"POST\", URL:(*url.URL)(0xc004f6d440), Proto:\"HTTP/1.1\", ProtoMajor:1, ProtoMinor:1, Header:http.Header{\"Accept\":[]string{\"application/json, */*\"}, \"Accept-Encoding\":[]string{\"gzip\"}, \"Content-Length\":[]string{\"3567\"}, \"Content-Type\":[]string{\"application/json\"}, \"User-Agent\":[]string{\"kube-apiserver-admission\"}}, Body:(*http.body)(0xc004f97640), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3567, TransferEncoding:[]string(nil), Close:false, Host:\"webhook.sigstore-policy-controller.svc:443\", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:\"10.73.14.5:46326\", RequestURI:\"/resource-conversion?timeout=30s\", TLS:(*tls.ConnectionState)(0xc004e91200), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:\"/resource-conversion\", ctx:(*context.cancelCtx)(0xc004fb55e0), pat:(*http.pattern)(0xc0005ff200), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:59:17.185Z","logger":"policy-controller","caller":"webhook/conversion.go:45","msg":"Webhook ServeHTTP request=&http.Request{Method:\"POST\", URL:(*url.URL)(0xc004ff8750), Proto:\"HTTP/1.1\", ProtoMajor:1, ProtoMinor:1, Header:http.Header{\"Accept\":[]string{\"application/json, */*\"}, \"Accept-Encoding\":[]string{\"gzip\"}, \"Content-Length\":[]string{\"3567\"}, \"Content-Type\":[]string{\"application/json\"}, \"User-Agent\":[]string{\"kube-apiserver-admission\"}}, Body:(*http.body)(0xc005033ac0), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3567, TransferEncoding:[]string(nil), Close:false, Host:\"webhook.sigstore-policy-controller.svc:443\", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:\"10.73.9.31:36944\", RequestURI:\"/resource-conversion?timeout=30s\", TLS:(*tls.ConnectionState)(0xc004e35ec0), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:\"/resource-conversion\", ctx:(*context.cancelCtx)(0xc00504b680), pat:(*http.pattern)(0xc0005ff200), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:59:47.670Z","logger":"policy-controller","caller":"webhook/admission.go:93","msg":"Webhook ServeHTTP request=&http.Request{Method:\"POST\", URL:(*url.URL)(0xc005937680), Proto:\"HTTP/1.1\", ProtoMajor:1, ProtoMinor:1, Header:http.Header{\"Accept\":[]string{\"application/json, */*\"}, \"Accept-Encoding\":[]string{\"gzip\"}, \"Content-Length\":[]string{\"3225\"}, \"Content-Type\":[]string{\"application/json\"}, \"User-Agent\":[]string{\"kube-apiserver-admission\"}}, Body:(*http.body)(0xc0059a3140), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3225, TransferEncoding:[]string(nil), Close:false, Host:\"webhook.sigstore-policy-controller.svc:443\", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:\"10.73.9.31:51416\", RequestURI:\"/mutations?timeout=10s\", TLS:(*tls.ConnectionState)(0xc0057f7c80), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:\"/mutations\", ctx:(*context.cancelCtx)(0xc0059aeaa0), pat:(*http.pattern)(0xc0005ff080), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"cb5e546"}
{"level":"info","ts":"2024-12-03T15:59:47.844Z","logger":"policy-controller","caller":"defaulting/defaulting.go:158","msg":"Kind: \"/v1, Kind=Pod\" PatchBytes: [{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"europe-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343\"}]","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud"}
{"level":"info","ts":"2024-12-03T15:59:47.844Z","logger":"policy-controller","caller":"webhook/admission.go:151","msg":"remote admission controller audit annotations=map[string]string(nil)","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud","admissionreview/uid":"b4d976e7-dfe2-42bb-bac4-99da592eb40c","admissionreview/allowed":true,"admissionreview/result":"nil"}
{"level":"debug","ts":"2024-12-03T15:59:47.844Z","logger":"policy-controller","caller":"webhook/admission.go:152","msg":"AdmissionReview patch={ type: JSONPatch, body: [{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"europe-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343\"}] }","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud","admissionreview/uid":"b4d976e7-dfe2-42bb-bac4-99da592eb40c","admissionreview/allowed":true,"admissionreview/result":"nil"}
{"level":"info","ts":"2024-12-03T15:59:47.865Z","logger":"policy-controller","caller":"webhook/admission.go:93","msg":"Webhook ServeHTTP request=&http.Request{Method:\"POST\", URL:(*url.URL)(0xc005a65dd0), Proto:\"HTTP/1.1\", ProtoMajor:1, ProtoMinor:1, Header:http.Header{\"Accept\":[]string{\"application/json, */*\"}, \"Accept-Encoding\":[]string{\"gzip\"}, \"Content-Length\":[]string{\"3367\"}, \"Content-Type\":[]string{\"application/json\"}, \"User-Agent\":[]string{\"kube-apiserver-admission\"}}, Body:(*http.body)(0xc005a87640), GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:3367, TransferEncoding:[]string(nil), Close:false, Host:\"webhook.sigstore-policy-controller.svc:443\", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:\"10.73.1.30:44596\", RequestURI:\"/validations?timeout=10s\", TLS:(*tls.ConnectionState)(0xc005aa0900), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), Pattern:\"/validations\", ctx:(*context.cancelCtx)(0xc0059afdb0), pat:(*http.pattern)(0xc0005ff020), matches:[]string(nil), otherValues:map[string]string(nil)}","commit":"cb5e546"}
{"level":"debug","ts":"2024-12-03T15:59:47.873Z","logger":"policy-controller","caller":"webhook/validator.go:426","msg":"Checking Policy: github-policy","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud"}
{"level":"debug","ts":"2024-12-03T15:59:47.873Z","logger":"policy-controller","caller":"webhook/validator.go:513","msg":"Checking Authority: github\n","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud"}
{"level":"warn","ts":"2024-12-03T15:59:48.168Z","logger":"policy-controller","caller":"webhook/validator.go:1264","msg":"Failed to validate at least one policy for europe-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343 wanted 1 policies, only validated 0","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud"}
{"level":"error","ts":"2024-12-03T15:59:48.168Z","logger":"policy-controller","caller":"validation/validation_admit.go:183","msg":"Failed the resource specific validation","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud","stacktrace":"knative.dev/pkg/webhook/resourcesemantics/validation.validate\n\tknative.dev/[email protected]/webhook/resourcesemantics/validation/validation_admit.go:183\nknative.dev/pkg/webhook/resourcesemantics/validation.(*reconciler).Admit\n\tknative.dev/[email protected]/webhook/resourcesemantics/validation/validation_admit.go:79\nknative.dev/pkg/webhook.New.admissionHandler.func4\n\tknative.dev/[email protected]/webhook/admission.go:123\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2220\nnet/http.(*ServeMux).ServeHTTP\n\tnet/http/server.go:2747\nknative.dev/pkg/webhook.(*Webhook).ServeHTTP\n\tknative.dev/[email protected]/webhook/webhook.go:302\nknative.dev/pkg/network/handlers.(*Drainer).ServeHTTP\n\tknative.dev/[email protected]/network/handlers/drain.go:113\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:3210\nnet/http.(*conn).serve\n\tnet/http/server.go:2092"}
{"level":"info","ts":"2024-12-03T15:59:48.168Z","logger":"policy-controller","caller":"webhook/admission.go:151","msg":"remote admission controller audit annotations=map[string]string(nil)","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud","admissionreview/uid":"b1da8264-9490-4d14-b67a-b0e606e6887f","admissionreview/allowed":false,"admissionreview/result":"&Status{ListMeta:ListMeta{SelfLink:,ResourceVersion:,Continue:,RemainingItemCount:nil,},Status:Failure,Message:validation failed: failed policy: github-policy: spec.containers[0].image\neurope-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343 no bundle found in referrers,Reason:BadRequest,Details:nil,Code:400,}"}
{"level":"debug","ts":"2024-12-03T15:59:48.168Z","logger":"policy-controller","caller":"webhook/admission.go:152","msg":"AdmissionReview patch={ type: , body:  }","commit":"cb5e546","knative.dev/kind":"/v1, Kind=Pod","knative.dev/namespace":"devex-595-jmichaud","knative.dev/name":"test","knative.dev/operation":"CREATE","knative.dev/resource":"/v1, Resource=pods","knative.dev/subresource":"","knative.dev/userinfo":"julien.michaud","admissionreview/uid":"b1da8264-9490-4d14-b67a-b0e606e6887f","admissionreview/allowed":false,"admissionreview/result":"&Status{ListMeta:ListMeta{SelfLink:,ResourceVersion:,Continue:,RemainingItemCount:nil,},Status:Failure,Message:validation failed: failed policy: github-policy: spec.containers[0].image\neurope-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope@sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343 no bundle found in referrers,Reason:BadRequest,Details:nil,Code:400,}"}

[~/Documents]$ gh attestation verify oci://europe-docker.pkg.dev/platform-stuff/company-prod/kube/mp/calliope:latest-app-calliope-test-SNAPSHOT --owner company --no-public-good
Loaded digest sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343 for oci://europe-docker.pkg.dev/platform-stuff/mirakl-prod/kube/mp/calliope:latest-app-calliope-test-SNAPSHOT
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:9ab030caa167cff688e6cd58f3a58b58b9667e53ea438dbc663545782fb6f343 was attested by:
REPO                                   PREDICATE_TYPE                  WORKFLOW                                                                                
company/reusable-workflows-app-release  https://slsa.dev/provenance/v1  .github/workflows/_build-kubernetes-images.yml@refs/tags/_build-kubernetes-images.yml/v3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

no bundle found in referrers #179

no bundle found in referrers #179

julien-michaud commented Sep 30, 2024 •

edited

Loading

codysoyland commented Nov 15, 2024

julien-michaud commented Dec 3, 2024 •

edited

Loading

no bundle found in referrers #179

no bundle found in referrers #179

Comments

julien-michaud commented Sep 30, 2024 • edited Loading

codysoyland commented Nov 15, 2024

julien-michaud commented Dec 3, 2024 • edited Loading

julien-michaud commented Sep 30, 2024 •

edited

Loading

julien-michaud commented Dec 3, 2024 •

edited

Loading