diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml index d5e9fb6f8..29c1e625a 100755 --- a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml @@ -6,36 +6,62 @@ metadata: name: disallow-latest-tag spec: steps: - - name: step-01 - try: - - apply: - file: ../disallow-latest-tag.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-latest-tag - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-fail-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-success-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-no-tag.yaml + - name: step-01 + try: + - apply: + file: ../disallow-latest-tag.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-latest-tag + spec: + rules: + - name: require-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Enforce + message: "Container images must have a tag specified" + pattern: + spec: + containers: + - image: "!*:latest" + - name: validate-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Enforce + message: "Images must have a specific tag" + pattern: + spec: + containers: + - image: "!*:latest" + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-latest-fail-first.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-latest-success-first.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-no-tag.yaml diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index 2f64e7a3c..a47a646a4 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -14,42 +14,44 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: Audit background: true rules: - - name: require-image-tag - match: - any: - - resources: - kinds: - - Pod - validate: - message: "An image tag is required." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "*:*" - - list: "request.object.spec.initContainers" - pattern: - image: "*:*" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "*:*" - - name: validate-image-tag - match: - any: - - resources: - kinds: - - Pod - validate: - message: "Using a mutable image tag e.g. 'latest' is not allowed." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "!*:latest" - - list: "request.object.spec.initContainers" - pattern: - image: "!*:latest" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "!*:latest" + - name: require-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Audit + message: "An image tag is required." + foreach: + - list: "request.object.spec.containers" + pattern: + image: "*:*" + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "*:*" + + - name: validate-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Audit + message: "Using a mutable image tag e.g. 'latest' is not allowed." + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*:latest" + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*:latest"