Being able to specify images by hash would be a simpler alternative.
Requiring signed images seems like an arbitrary place to require signatures, given that there's plenty of parts of kubernetes deployment configs that could be used to do damage and you need the whole thing authenticated. I guess a benefit of having signed images instead of content-addressed images is that they could be updated by a trusted person without needing to update any kubernetes deployments, but presumably you'd want to tell kubernetes to switch its running instances to the new images so that sounds like an incomplete solution.
Requiring signed images seems like an arbitrary place to require signatures, given that there's plenty of parts of kubernetes deployment configs that could be used to do damage and you need the whole thing authenticated. I guess a benefit of having signed images instead of content-addressed images is that they could be updated by a trusted person without needing to update any kubernetes deployments, but presumably you'd want to tell kubernetes to switch its running instances to the new images so that sounds like an incomplete solution.