apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
spec:
  rules:
  - match:
      any:
        - resources:
            kinds:
            - Pod
    name: require-image-tag
    validate:
      failureAction: Audit
      message: An image tag is required.
      pattern:
        spec:
          containers:
          - image: '*:*'
  - match:
      any:
        - resources:
            kinds:
            - Pod
    name: validate-image-tag
    validate:
      failureAction: Audit
      message: Using a mutable image tag e.g. 'latest' is not allowed.
      pattern:
        spec:
          containers:
          - image: '!*:latest'