apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: validate-yaml
spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail  
  rules:
    - name: validate-yaml
      match:
        any:
        - resources:
            kinds:
            - Service
      validate:
        manifests:
          attestors:
          - entries:
            - keys:
                publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
                    BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
                    -----END PUBLIC KEY-----
                rekor:
                  url: https://rekor.sigstore.dev
                  ignoreTlog: true
                ctlog:
                  ignoreSCT: true
            - keys:
                publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
                    FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
                    -----END PUBLIC KEY-----
                rekor:
                  url: https://rekor.sigstore.dev
                  ignoreTlog: true
                ctlog:
                  ignoreSCT: true