Install Sigstore Policy Controller via its Helm chart: `helm install policy-controller sigstore/policy-controller -n cosign-system --create-namespace`
Label the target namespace with `policy.sigstore.dev/include: 'true'` to opt it in to admission enforcement
Create a `ClusterImagePolicy` resource that specifies the `images` glob pattern and an `authorities` block with `keyless.url: https://fulcio.sigstore.dev` and an `identities` list constraining the OIDC issuer and subject regexp
Attempt to deploy an unsigned test image and confirm the admission webhook rejects it with a policy violation message
Review Policy Controller logs for `DENIED` events and integrate alerts into your security monitoring pipeline
Known gotchas
Policy Controller's webhook is a `ValidatingWebhookConfiguration`; if the webhook pod is unavailable the default `failurePolicy: Fail` will block all deployments in opted-in namespaces — ensure high availability for the controller
The `identities` field supports both exact-match `issuer`/`subject` and regexp variants; mixing them incorrectly can result in overly permissive or overly restrictive policies
Policy Controller caches TUF root metadata; after a Sigstore root rotation the controller may need a rolling restart to pick up the new root keys
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp