kyverno cli: bundleVerified, but policy failed?

Question

I am trying to setup a policy to block image without attestation.

Here is my code: https://github.com/whoissqr/cg-test-keyless-sign

my ClusterPolicy is as following

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-keyless
spec:
  validationFailureAction: Enforce
  failurePolicy: Fail
  background: false
  webhookTimeoutSeconds: 30
  rules:
    - name: check-image-keyless
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - verifyDigest: false
        imageReferences:
        - "ghcr.io/whoissqr/cg-test-keyless-sign:latest"
        attestors:
        - entries:
          - keyless:
              subject: "https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main"
              issuer: "https://token.actions.githubusercontent.com"
              rekor:
                url: https://rekor.sigstore.dev

and when I run kubectl get clusterpolicies -o yaml | kyverno apply - --resource ./k3s/pod.yaml -v 5, I got

policy check-image-keyless -> resource app/Pod/cg failed: 
1. check-image-keyless: unverified image ghcr.io/whoissqr/cg-test-keyless-sign:latest 
I0226 13:11:26.376474    6153 cosign.go:86] cosign "msg"="verified image" "bundleVerified"=true "count"=1
I0226 13:11:26.376625    6153 imageVerify.go:511] EngineVerifyImages "msg"="image attestors verification succeeded" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "requiredCount"=1 "verifiedCount"=1
I0226 13:11:26.376663    6153 imageVerify.go:287] EngineVerifyImages "msg"="adding digest patch" "image"="ghcr.io/whoissqr/cg-test-keyless-sign:latest" "kind"="Pod" "name"="cg" "namespace"="app" "patch"="{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"ghcr.io/whoissqr/cg-test-keyless-sign:latest@sha256:0c1f3bc065a0f1e7ea189fe50cf6f0e74e20b046bcfb6674eb716bd0af80f457\"}" "policy"="check-image-keyless"
I0226 13:11:26.376891    6153 validation.go:591] EngineVerifyImages "msg"="resource does not match rule" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "reason"="rule autogen-check-image-keyless not matched:\n 1. no resource matched"
I0226 13:11:26.376996    6153 validation.go:591] EngineVerifyImages "msg"="resource does not match rule" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "reason"="rule autogen-cronjob-check-image-keyless not matched:\n 1. no resource matched"
I0226 13:11:26.377050    6153 imageVerify.go:83] EngineVerifyImages "msg"="processed image verification rules" "applied"=1 "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "successful"=true "time"="1.301291106s"
I0226 13:11:26.377099    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377219    6153 rule.go:286] autogen "msg"="generating rule for cronJob" 
I0226 13:11:26.377235    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377335    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377416    6153 rule.go:286] autogen "msg"="generating rule for cronJob" 
I0226 13:11:26.377432    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
pass: 1, fail: 1, warn: 0, error: 0, skip: 4 
Error: Process completed with exit code 1.

what is exactly the 'fail: 1` about?

also, the cosign verification by cosign is passing.

Answer 1

The following worked, thanks to expert in kyverno slack channel:

      - name: (optional) Install Kyverno CLI
        if: always() 
        uses: kyverno/[email protected]
          
      - name: (optional) Dry run policy using Kyverno CLI
        if: always() 
        run: |
          kyverno version
          kyverno apply ./k3s/policy-check-image-keyless.yaml --resource ./k3s/pod.yaml
          # kubectl get clusterpolicies -o yaml | kyverno apply - --resource ./k3s/pod.yaml -v 10