All Policies
Disallow Latest Tag
The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.
Policy Definition
/best-practices/disallow-latest-tag/disallow-latest-tag.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-latest-tag
5 annotations:
6 policies.kyverno.io/title: Disallow Latest Tag
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/minversion: 1.6.0
9 policies.kyverno.io/severity: medium
10 policies.kyverno.io/subject: Pod
11 policies.kyverno.io/description: >-
12 The ':latest' tag is mutable and can lead to unexpected errors if the
13 image changes. A best practice is to use an immutable tag that maps to
14 a specific version of an application Pod. This policy validates that the image
15 specifies a tag and that it is not called `latest`.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: require-image-tag
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 message: "An image tag is required."
28 pattern:
29 spec:
30 containers:
31 - image: "*:*"
32 - name: validate-image-tag
33 match:
34 any:
35 - resources:
36 kinds:
37 - Pod
38 validate:
39 message: "Using a mutable image tag e.g. 'latest' is not allowed."
40 pattern:
41 spec:
42 containers:
43 - image: "!*:latest"