mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
kyverno/samples/DisallowLatestTag.md
Jim Bugwadia 733633637e update descriptions...
2019-10-23 15:36:37 -07:00

957 B
Raw Blame History

Disallow latest image tag

The :latest tag is mutable and can lead to unexpected errors if the upstream image changes. A best practice is to use an immutable tag that maps to a specific and tested version of an application pod.

Policy YAML

require_image_tag_not_latest.yaml

apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-image-tag
spec:
  rules:
  - name: image-tag-notspecified
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Image tag not specified"  
      pattern:
        spec:
          containers:
          - image: "*:*"
  - name: image-tag-not-latest
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Using 'latest' image tag is restricted. Set image tag to a specific version"
      pattern:
        spec:
          containers:
          - image: "!*:latest"