apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
status:
  autogen:
    rules:
    - match:
        any:
        - resources:
            kinds:
            - DaemonSet
            - Deployment
            - Job
            - ReplicaSet
            - ReplicationController
            - StatefulSet
      name: autogen-require-image-tag
      validate:
        failureAction: Audit
        message: An image tag is required.
        pattern:
          spec:
            template:
              spec:
                containers:
                - image: '*:*'
    - match:
        any:
        - resources:
            kinds:
            - CronJob
      name: autogen-cronjob-require-image-tag
      validate:
        failureAction: Audit
        message: An image tag is required.
        pattern:
          spec:
            jobTemplate:
              spec:
                template:
                  spec:
                    containers:
                    - image: '*:*'
    - match:
        any:
        - resources:
            kinds:
            - DaemonSet
            - Deployment
            - Job
            - ReplicaSet
            - ReplicationController
            - StatefulSet
      name: autogen-validate-image-tag
      validate:
        failureAction: Audit
        message: Using a mutable image tag e.g. 'latest' is not allowed.
        pattern:
          spec:
            template:
              spec:
                containers:
                - image: '!*:latest'
    - match:
        any:
        - resources:
            kinds:
            - CronJob
      name: autogen-cronjob-validate-image-tag
      validate:
        failureAction: Audit
        message: Using a mutable image tag e.g. 'latest' is not allowed.
        pattern:
          spec:
            jobTemplate:
              spec:
                template:
                  spec:
                    containers:
                    - image: '!*:latest'