All Policies
Disallow Latest Tag
The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.
Policy Definition
/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-latest-tag
5 annotations:
6 policies.kyverno.io/title: Disallow Latest Tag
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/minversion: 1.6.0
9 policies.kyverno.io/severity: medium
10 policies.kyverno.io/subject: Pod
11 policies.kyverno.io/description: >-
12 The ':latest' tag is mutable and can lead to unexpected errors if the
13 image changes. A best practice is to use an immutable tag that maps to
14 a specific version of an application Pod. This policy validates that the image
15 specifies a tag and that it is not called `latest`.
16spec:
17 validationFailureAction: Audit
18 background: true
19 rules:
20 - name: require-image-tag
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 message: "An image tag is required."
28 foreach:
29 - list: "request.object.spec.containers"
30 pattern:
31 image: "*:*"
32 - list: "request.object.spec.initContainers"
33 pattern:
34 image: "*:*"
35 - list: "request.object.spec.ephemeralContainers"
36 pattern:
37 image: "*:*"
38 - name: validate-image-tag
39 match:
40 any:
41 - resources:
42 kinds:
43 - Pod
44 validate:
45 message: "Using a mutable image tag e.g. 'latest' is not allowed."
46 foreach:
47 - list: "request.object.spec.containers"
48 pattern:
49 image: "!*:latest"
50 - list: "request.object.spec.initContainers"
51 pattern:
52 image: "!*:latest"
53 - list: "request.object.spec.ephemeralContainers"
54 pattern:
55 image: "!*:latest"