The OpenShift Platform allows for verifying the signature of a container
image before pulling it. this is done via the policy.json file [1]
which needs to be configured via the Machine Config Operator [2].
Ensure that the default policy is "reject" in /etc/containers/policy.json,
which should look as follows:
{
"default": [{"type": "reject"}],
"transports":
...
}
Addition of allowed registries must be an explicit action to ensure that only
containers from allowed registries are used.
[1]
https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md
[2]
https://docs.openshift.com/container-platform/latest/security/container_security/security-container-signature.html