diff --git a/infrastructure/configurations/kustomization.yaml b/infrastructure/configurations/kustomization.yaml
index d06d235..45a248e 100644
--- a/infrastructure/configurations/kustomization.yaml
+++ b/infrastructure/configurations/kustomization.yaml
@@ -4,3 +4,4 @@ namespace: flux-system
 
 resources:
   - cert-manager-issuer/cluster-issuer.yaml
+  - kyverno-policies/check-image-signature.yaml
diff --git a/infrastructure/configurations/kyverno-policies/check-image-signature.yaml b/infrastructure/configurations/kyverno-policies/check-image-signature.yaml
new file mode 100644
index 0000000..069647d
--- /dev/null
+++ b/infrastructure/configurations/kyverno-policies/check-image-signature.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-signature
+spec:
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail
+  rules:
+    - name: check-image-signature
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      verifyImages:
+        - imageReferences:
+            - "ghcr.io/do4-2022/openstack-k0s-apko*"
+          attestors:
+            - count: 1
+              entries:
+                - keyless:
+                    subject: "https://github.com/do4-2022/openstack-k0s-apko/.github/workflows/ci.yaml@refs/heads/main"
+                    issuer: "https://token.actions.githubusercontent.com"
+                    rekor:
+                      url: https://rekor.sigstore.dev