{"id":"d41ded7e-41d0-485a-b481-98628bd803b8","task":"Deploy Sigstore policy-controller on Kubernetes to enforce that only images with valid cosign signatures are admitted","domain":"security/compliance","steps":["Install the Sigstore policy-controller using the official Helm chart; it installs a ValidatingWebhookConfiguration and its own CRDs for ClusterImagePolicy.","Create a ClusterImagePolicy CRD that matches an image glob pattern (e.g., ghcr.io/my-org/*) and specifies the required authorities: either a static public key or keyless authorities referencing the expected OIDC issuer and certificate identity.","Label the namespaces where you want policy enforcement with the label the policy-controller monitors (verify the exact label key in current policy-controller docs, as it may differ from older versions).","Test enforcement by attempting to deploy an unsigned image in a labeled namespace; the policy-controller webhook should deny the admission with a message indicating no matching signature was found.","Monitor policy-controller logs and metrics; admission latency increases when the controller contacts Rekor or Fulcio for keyless verification, so configure appropriate timeout and availability settings."],"gotchas":["The policy-controller webhook failure policy should be set carefully; FailClosed blocks all images if the controller is unavailable, while FailOpen allows images through — choose based on your availability and security tradeoffs.","Namespace labeling is required for the policy-controller to intercept admission requests; unlabeled namespaces receive no enforcement, which can lead to a false sense of security if namespaces are created without the label.","ClusterImagePolicy authorities using keyless verification must have accurate OIDC issuer and subject glob patterns; overly broad patterns (matching any subject from an issuer) defeat the purpose of identity-based enforcement."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/d41ded7e-41d0-485a-b481-98628bd803b8"}