Install Kyverno via the official Helm chart: `helm install kyverno kyverno/kyverno -n kyverno --create-namespace`
Create a `ClusterPolicy` with `spec.rules[].verifyImages` containing an `image` glob pattern, `attestors` block with `count: 1`, and a `keyless` entry specifying `url: https://fulcio.sigstore.dev` and an `identities` list with `issuer` and `subject` fields
Set the rule action to `Enforce` to block unsigned images at admission time (use `Audit` first to assess impact)
Deploy a signed test image and confirm it is admitted; deploy an unsigned image and confirm it is blocked with a Kyverno policy violation event
Review Kyverno admission controller logs and configure alerts for `PolicyViolation` events in your monitoring stack
Known gotchas
Kyverno's `verifyImages` requires network egress to Fulcio and Rekor during admission; if the cluster cannot reach these endpoints, all image admissions in enforced namespaces will fail
Mutating and validating webhooks from Kyverno have a `failurePolicy` setting; `Fail` is safer from a security standpoint but causes outages if Kyverno is unavailable — plan for HA deployment
The `identities` block must include both `issuer` and `subject` (or their regexp variants); a policy with only `issuer` will accept signatures from any workflow in that OIDC provider's namespace, which is overly broad
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp