pub/kyverno-2026-example
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
kyverno-2026-example/02-validation/01-resource-validation/3. disallow-latest-tag.yaml
Vassiliy Yegorov 815bc94a3d init
2026-04-09 20:14:24 +07:00

45 lines
1.6 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/title: "Запрет тега latest"
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Запрещает использование тега :latest и образов без тега.
Оба варианта резолвятся в "последний доступный образ",
что делает деплойменты невоспроизводимыми.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: disallow-latest-tag
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- kube-system
validate:
message: >-
Образ '{{ element.image }}' использует тег :latest или не имеет тега.
Используйте конкретный тег (например, nginx:1.25.3) или digest
(nginx@sha256:abc123...) для воспроизводимых деплойментов.
foreach:
- list: >-
request.object.spec.containers[] |
merge(request.object.spec.initContainers[] || `[]`, @)
deny:
conditions:
any:
- key: "{{ element.image }}"
operator: Contains
value: ":latest"
- key: "{{ element.image }}"
operator: NotContains
value: ":"
Reference in New Issue View Git Blame Copy Permalink