From 034ae8641f00bbe7a6aa22b9ad553cbfbb49bd03 Mon Sep 17 00:00:00 2001 From: Indrranil Pawar Date: Sun, 29 Dec 2024 16:06:11 +0530 Subject: [PATCH 1/2] feat: update deprecated fields in disallow-latest-tag policy (#1130) Signed-off-by: Indrranil Pawar --- .../.chainsaw-test/chainsaw-test.yaml | 90 ++++++++++++------- .../disallow-latest-tag.yaml | 76 ++++++++-------- 2 files changed, 96 insertions(+), 70 deletions(-) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml index d5e9fb6f8..6557dfba3 100755 --- a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml @@ -6,36 +6,60 @@ metadata: name: disallow-latest-tag spec: steps: - - name: step-01 - try: - - apply: - file: ../disallow-latest-tag.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-latest-tag - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-fail-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-success-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-no-tag.yaml + - name: step-01 + try: + - apply: + file: ../disallow-latest-tag.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-latest-tag + spec: + rules: + - name: require-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Container images must have a tag specified" + pattern: + spec: + containers: + - image: "!*:latest" + - name: validate-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Images must have a specific tag" + pattern: + spec: + containers: + - image: "!*:latest" + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: good-pod.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-latest-fail-first.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-latest-success-first.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-no-tag.yaml diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index 2f64e7a3c..a47a646a4 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -14,42 +14,44 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: Audit background: true rules: - - name: require-image-tag - match: - any: - - resources: - kinds: - - Pod - validate: - message: "An image tag is required." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "*:*" - - list: "request.object.spec.initContainers" - pattern: - image: "*:*" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "*:*" - - name: validate-image-tag - match: - any: - - resources: - kinds: - - Pod - validate: - message: "Using a mutable image tag e.g. 'latest' is not allowed." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "!*:latest" - - list: "request.object.spec.initContainers" - pattern: - image: "!*:latest" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "!*:latest" + - name: require-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Audit + message: "An image tag is required." + foreach: + - list: "request.object.spec.containers" + pattern: + image: "*:*" + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "*:*" + + - name: validate-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Audit + message: "Using a mutable image tag e.g. 'latest' is not allowed." + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*:latest" + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*:latest" From c96b844f07fbf6371a02a60907cac529ac2c9b51 Mon Sep 17 00:00:00 2001 From: Indrranil Pawar <112892653+Indrranil@users.noreply.github.com> Date: Sun, 29 Dec 2024 20:04:38 +0530 Subject: [PATCH 2/2] added validationAction : Enforce Signed-off-by: Indrranil Pawar <112892653+Indrranil@users.noreply.github.com> --- .../disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml index 6557dfba3..29c1e625a 100755 --- a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml @@ -25,6 +25,7 @@ spec: kinds: - Pod validate: + failureAction: Enforce message: "Container images must have a tag specified" pattern: spec: @@ -37,6 +38,7 @@ spec: kinds: - Pod validate: + failureAction: Enforce message: "Images must have a specific tag" pattern: spec: