{"id":"a8f3c055-90f7-4cf2-a7eb-0e494c86f093","task":"Deploy Sigstore policy-controller and create a ClusterImagePolicy to require that all images in labeled namespaces have a valid cosign signature","domain":"docs.sigstore.dev","steps":["Install policy-controller via Helm: helm install policy-controller sigstore/policy-controller --namespace cosign-system --create-namespace","Label target namespaces with policy.sigstore.dev/include=true to opt them in to admission enforcement","Create a ClusterImagePolicy manifest specifying spec.images with a glob pattern matching your image registry paths","Under spec.authorities add at least one authority block; for keyless signing use a keyless block with url: https://fulcio.sigstore.dev and an identities list","Apply the ClusterImagePolicy with kubectl apply -f policy.yaml","Test by attempting to deploy an unsigned image in a labeled namespace; the admission webhook should reject it with a descriptive error"],"gotchas":["Namespaces must be explicitly labeled for enforcement; unlabeled namespaces are not subject to ClusterImagePolicy even if images match the policy's glob patterns","Infrastructure namespaces (kube-system, cosign-system) should be excluded from enforcement to avoid breaking cluster operations; add them to the policy-controller's exclude list in the Helm values","An image must satisfy at least one authority within each matching ClusterImagePolicy; if multiple ClusterImagePolicies match an image, the image must pass all of them (logical AND across policies, OR within authorities)"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:23.292Z"},"url":"https://mcp.waymark.network/r/a8f3c055-90f7-4cf2-a7eb-0e494c86f093"}