Rob Best

> My initial thought was that another field could be added, something like exemptFromAudit, which could be set to true to not match during the audit. Perhaps a new `enforcementAction`,...

> I'm curious though: what benefit are you getting by requiring a label to be set before deletion? This is mostly to protect ourselves from ourselves. We had an experience...

As a bit of a related aside, what we've ended up doing to insulate other resource types from being needlessly evaluated for `DELETE` operations is to define a separate webhook...

> The important thing is that the build system then conceptually grows to encompass this new system If an organisation moves from producing provenance as part of a build step...

> Does that help? @MarkLodato It does, yep! So you're saying that rather than every team that produces artifacts from Github Actions workflows running an external monitor in their own...

In 1.6, the cloud provider keychains are only setup when the 'kubernetes keychain' is initialized and that only happens if there are image pull secrets specified by the flag `-imagePullSecrets`....

This was cherry picked into 1.6 here: https://github.com/kyverno/kyverno/pull/3166. Seems to be working for me in v1.6.0-rc3. Could you confirm if this has solved your issues @developer-guy?

@developer-guy Yes, please :bow: If it still doesn't work, then it would nice to have some more details: - Any error messages from Kyverno's logs - More information about the...

Okay, if it's a public image then the keychain is probably nothing to do with it. KMS definitely works for me with workload identity, so I suspect it might be...

Was the `cosign verify` command you posted above executed in a pod in the same cluster with the same service account as kyverno?