{"id":"86d8f056-d5cb-4524-8333-3da86ded731d","task":"Toggle Sigstore policy-controller between warn mode and enforce mode in a ClusterImagePolicy","domain":"docs.sigstore.dev","steps":["In the ClusterImagePolicy manifest, set spec.mode to warn to allow non-compliant images through while logging a warning to the caller and recording a Kubernetes event","To switch to blocking enforcement, change spec.mode to enforce (the default); non-compliant images will receive an admission denial","Apply the updated ClusterImagePolicy with kubectl apply; the change takes effect immediately for new pod admission requests","Monitor Kubernetes events in the target namespace with kubectl get events to observe warn-mode policy violations","Review policy-controller pod logs for detailed verification failure messages regardless of mode"],"gotchas":["Mode applies per ClusterImagePolicy, not per namespace; multiple policies can coexist with different modes, allowing gradual rollout","warn mode does not block workloads, so a misconfigured policy in warn mode may give a false sense of security; audit warnings actively before switching to enforce","There is no built-in rate limiting on warnings; in a busy cluster, warn-mode violations can flood Kubernetes events if many non-compliant images are deployed"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/86d8f056-d5cb-4524-8333-3da86ded731d"}