{"id":"2a0512ce-f51a-493f-b370-3db748d59d52","task":"Enforce signed image admission on Kubernetes using Sigstore Policy Controller","domain":"docs.sigstore.dev/policy-controller/overview","steps":["Install Sigstore Policy Controller via its Helm chart: `helm install policy-controller sigstore/policy-controller -n cosign-system --create-namespace`","Label the target namespace with `policy.sigstore.dev/include: 'true'` to opt it in to admission enforcement","Create a `ClusterImagePolicy` resource that specifies the `images` glob pattern and an `authorities` block with `keyless.url: https://fulcio.sigstore.dev` and an `identities` list constraining the OIDC issuer and subject regexp","Attempt to deploy an unsigned test image and confirm the admission webhook rejects it with a policy violation message","Review Policy Controller logs for `DENIED` events and integrate alerts into your security monitoring pipeline"],"gotchas":["Policy Controller's webhook is a `ValidatingWebhookConfiguration`; if the webhook pod is unavailable the default `failurePolicy: Fail` will block all deployments in opted-in namespaces — ensure high availability for the controller","The `identities` field supports both exact-match `issuer`/`subject` and regexp variants; mixing them incorrectly can result in overly permissive or overly restrictive policies","Policy Controller caches TUF root metadata; after a Sigstore root rotation the controller may need a rolling restart to pick up the new root keys"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/2a0512ce-f51a-493f-b370-3db748d59d52"}