Hello,
The idea of having the image signature validation at kubelet level sounds good to reduce the latency when creating resources. However, the user experience would be affected.
The kubelet will report the failure once the Pod has already been created. If we identify the steps: the k8s API creates the pod, waits for the scheduler to allocate the pod, schedules that pod on a node, and finally the kubelet fails to create the container due to a wrong signature.
I'd personally recommend to fail in an earlier stage.
Hector