Policy "no attestations ... denied" (kyverno / cosign policy) in CI
An image policy (Kyverno verifyImages or a cosign policy) requires a signed attestation of a given type from a trusted identity. It denies the image when no such attestation is attached or the identity/type does not match.
What this error means
A policy check in CI (or admission in a kind cluster during CI) denies the image with "no matching attestations", "attestation check failed", or "image is not signed".
resource Pod/default/app was blocked due to the following policies
check-attestations:
autogen-check-attestations: 'image ghcr.io/acme/app@sha256:... failed: .attestors[0]: no matching attestations'Common causes
The required attestation is missing
The image was pushed without the SBOM or provenance attestation the policy demands, so admission finds nothing to check.
Identity or predicate type in the policy does not match
The policy pins an issuer, subject, or predicate type that does not equal what actually signed the attestation, so no attestation qualifies.
How to fix it
Attach the attestation the policy expects
- Attest the image with the predicate type the policy requires.
- Sign with the identity (issuer and subject) the policy trusts.
- Re-run the policy check against the image digest.
cosign attest --yes --type slsaprovenance \
--predicate provenance.json ghcr.io/acme/app@sha256:...Align the policy attestors with the real signer
Set the policy issuer, subject, and predicate type to match the keyless identity and attestation type your pipeline produces.
attestations:
- predicateType: https://slsa.dev/provenance/v1
attestors:
- entries:
- keyless:
issuer: https://token.actions.githubusercontent.com
subject: "https://github.com/acme/app/*"How to prevent it
- Attest every image with the predicate type your policy requires.
- Keep the policy issuer, subject, and predicate type in sync with signing.
- Test the policy against a signed image before enforcing it.