Disallow Latest Tag in CEL expressions

The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.

Policy Definition

/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-latest-tag
 5  annotations:
 6    policies.kyverno.io/title: Disallow Latest Tag in CEL expressions
 7    policies.kyverno.io/category: Best Practices in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      The ':latest' tag is mutable and can lead to unexpected errors if the
14      image changes. A best practice is to use an immutable tag that maps to
15      a specific version of an application Pod. This policy validates that the image
16      specifies a tag and that it is not called `latest`.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21  - name: require-and-validate-image-tag
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27          operations:
28          - CREATE
29          - UPDATE
30    validate:
31      cel:
32        expressions:
33          - expression: "object.spec.containers.all(container, container.image.contains(':'))"
34            message: "An image tag is required."
35          - expression: "object.spec.containers.all(container, !container.image.endsWith(':latest'))"
36            message: "Using a mutable image tag e.g. 'latest' is not allowed."

Create policy issue