add kyverno no latest
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
adc6cdb0bc
commit
a39d676252
6 changed files with 66 additions and 1 deletions
27
platform/kyverno/policies/disallow-latest-tag.yaml
Normal file
27
platform/kyverno/policies/disallow-latest-tag.yaml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
rules:
|
||||
- name: validate-image-tag
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
deny:
|
||||
conditions:
|
||||
any:
|
||||
- key: "{{ regex_match('^.*:latest$', '{{ element.image }}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
- key: "{{ !contains('{{ element.image }}', ':') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- purge-terminal-pods.yaml
|
||||
- cleanup-rbac.yaml
|
||||
- purge-terminal-pods.yaml
|
||||
- disallow-latest-tag.yaml
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue