The policy-controller project contains an admission controller for Kubernetes, which can be installed on your Kubernetes cluster in a form of a helm chart.

The webhook can be used to automatically validate that all the container images have been signed. The webhook also resolves the image tags to ensure the image being ran is not different from when it was admitted.

The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. See the Enable policy-controller Admission Controller for Namespaces instructions for more details.

See the Configuring policy-controller ClusterImagePolicy instructions for more details on configuration.

Edit this page on GitHub Updated at Fri, Jun 24, 2022