support machine-wide image signature verification policy #12466
Description
Support an image verification policy which applies to any image being pulled by Talos/CRI, and working transparently with registry mirrors or registry auth.
Yes, there is a Kubernetes admission policy plugin, but it doesn't apply to static pods and Talos image pulls.
Yes, there is support in containerd transfer service, but we can't use it right now as it doesn't support registry auth.
We need to figure out some solution which might involve patching containerd/CRI.