https://uclab.dev/tags/clusterimagepolicy/ Recent content in ClusterImagePolicy on DevOps von UCLAB Hugo en Wed, 04 Mar 2026 19:15:15 +0000 https://uclab.dev/posts/cosign/ Wed, 04 Mar 2026 19:15:15 +0000 https://uclab.dev/posts/cosign/ <p>One of the things I wanted to get right in my Pi5 cluster was ensuring that only images I&rsquo;ve actually built and signed can run — no surprises, no unsigned images sneaking into my workloads. This post walks through how I set up <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore&rsquo;s Policy Controller</a> with Flux to enforce Cosign image signatures in my <code>uclab</code> namespace.</p> <figure><img src="https://uclab.dev/posts/cosign/images/gemini2.png" alt="ClusterImagePolicy"> </figure> <h2 id="the-goal">The Goal</h2> <p>Every image I deploy to the <code>uclab</code> namespace is built in my own CI pipeline, pushed to my self-hosted Forgejo registry, and signed with Cosign using a key pair I control. The Policy Controller&rsquo;s job is to sit as an admission webhook and <strong>reject any pod that tries to run an image without a valid signature</strong>.</p>