The webhook can be used to automatically validate that all the container images have been signed. The webhook also resolves the image tags to ensure the image being ran is not different from when it was admitted.
policy-controller admission controller will only validate resources in
namespaces that have chosen to opt-in. See the
Enable policy-controller Admission Controller for Namespaces instructions for more details.
See the Configuring policy-controller ClusterImagePolicy instructions for more details on configuration.