2019-10-23 21:06:03 +00:00
# Disallow latest image tag
2020-11-11 20:55:02 +00:00
The `:latest` tag is mutable and can lead to unexpected errors if the upstream image changes. A best practice is to use an immutable tag that maps to a specific and tested version of an application image.
2019-10-23 21:06:03 +00:00
2020-11-11 20:55:02 +00:00
## Policy YAML
2019-10-23 21:06:03 +00:00
2019-11-11 01:54:38 +00:00
[disallow_latest_tag.yaml ](best_practices/disallow_latest_tag.yaml )
2019-10-23 21:06:03 +00:00
````yaml
2019-11-13 21:56:20 +00:00
apiVersion : kyverno.io/v1
2019-10-23 21:06:03 +00:00
kind: ClusterPolicy
metadata:
2019-11-11 01:54:38 +00:00
name: disallow-latest-tag
2019-10-23 21:06:03 +00:00
spec:
2020-08-19 21:04:58 +00:00
validationFailureAction: audit
2019-10-23 21:06:03 +00:00
rules:
2019-12-10 17:51:15 +00:00
- name: require-image-tag
2019-10-23 21:06:03 +00:00
match:
resources:
kinds:
- Pod
validate:
2019-11-11 01:54:38 +00:00
message: "An image tag is required"
2019-10-23 21:06:03 +00:00
pattern:
spec:
containers:
- image: "*:*"
2019-12-10 17:51:15 +00:00
- name: validate-image-tag
2019-10-23 21:06:03 +00:00
match:
resources:
kinds:
- Pod
validate:
2019-11-11 01:54:38 +00:00
message: "Using a mutable image tag e.g. 'latest' is not allowed"
2019-10-23 21:06:03 +00:00
pattern:
spec:
containers:
- image: "!*:latest"
````