apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '!*:latest'