diff --git a/services/zot/configmap.yaml b/services/zot/configmap.yaml
index ffeefbe..47a66e4 100644
--- a/services/zot/configmap.yaml
+++ b/services/zot/configmap.yaml
@@ -23,7 +23,7 @@ data:
         },
         "accessControl": {
           "repositories": {
-            "pegasus": {
+            "pegasus/**": {
               "policies": [
                 { "users": ["bstein"], "actions": ["read", "create", "update", "delete"] }
               ],
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 5bb8354..1dda5d0 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -10,6 +10,7 @@ metadata:
     traefik.ingress.kubernetes.io/router.tls: "true"
     # traefik.ingress.kubernetes.io/router.tls.options: zot-h1only@kubernetescrd
     # traefik.ingress.kubernetes.io/router.middlewares: zot-zot-headers@kubernetescrd,zot-zot-buffering@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-add-www-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/kustomization.yaml b/services/zot/kustomization.yaml
index 6d0dc06..b59b721 100644
--- a/services/zot/kustomization.yaml
+++ b/services/zot/kustomization.yaml
@@ -8,5 +8,5 @@ resources:
   - configmap.yaml
   - service.yaml
   - ingress.yaml
-  # - middleware.yaml
+  - middleware.yaml
   # - tlsoptions.yaml
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index 003d25c..2901fd8 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -24,3 +24,13 @@
 #     maxResponseBodyBytes: 0
 #     memResponseBodyBytes: 0
 #     retryExpression: "IsNetworkError() && Attempts() <= 2"
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: add-www-auth
+  namespace: zot
+spec:
+  headers:
+    customResponseHeaders:
+      WWW-Authenticate: Basic realm="zot-registry"