In the ClusterImagePolicy manifest, set spec.mode to warn to allow non-compliant images through while logging a warning to the caller and recording a Kubernetes event
To switch to blocking enforcement, change spec.mode to enforce (the default); non-compliant images will receive an admission denial
Apply the updated ClusterImagePolicy with kubectl apply; the change takes effect immediately for new pod admission requests
Monitor Kubernetes events in the target namespace with kubectl get events to observe warn-mode policy violations
Review policy-controller pod logs for detailed verification failure messages regardless of mode
Known gotchas
Mode applies per ClusterImagePolicy, not per namespace; multiple policies can coexist with different modes, allowing gradual rollout
warn mode does not block workloads, so a misconfigured policy in warn mode may give a false sense of security; audit warnings actively before switching to enforce
There is no built-in rate limiting on warnings; in a busy cluster, warn-mode violations can flood Kubernetes events if many non-compliant images are deployed
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp