convert imagepullpolicy-always to cel

Signed-off-by: Chandan-DK <[email protected]>

other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml

@@ -21,7 +21,7 @@ spec:
   containers:
   - name: nginx
     image: nginx:latest
-
+    imagePullPolicy: "IfNotPresent"
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -40,6 +40,7 @@ spec:
       containers:
       - name: nginx
         image: nginx
+        imagePullPolicy: "IfNotPresent"
         ports:
         - containerPort: 80
 

other-cel/imagepullpolicy-always/artifacthub-pkg.yml

@@ -1,21 +1,23 @@
-name: imagepullpolicy-always
+name: imagepullpolicy-always-cel
 version: 1.0.0
-displayName: Require imagePullPolicy Always
-createdAt: "2023-04-10T20:30:04.000Z"
+displayName: Require imagePullPolicy Always in CEL expressions
 description: >-
   If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
 install: |-
   ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/imagepullpolicy-always/imagepullpolicy-always.yaml
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml
   ```
 keywords:
   - kyverno
   - Sample
+  - CEL Expressions
 readme: |
   If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
-  kyverno/category: "Sample"
+  kyverno/category: "Sample in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d
+digest: b832c5d39491ce78d88a33596b2706b5448616d034b5b438b9974d07b58d875e
+createdAt: "2024-04-03T17:41:38Z"

other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml

@@ -3,18 +3,19 @@ kind: ClusterPolicy
 metadata:
   name: imagepullpolicy-always
   annotations:
-    policies.kyverno.io/title: Require imagePullPolicy Always
-    policies.kyverno.io/category: Sample
+    policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions
+    policies.kyverno.io/category: Sample in CEL 
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
-    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/description: >-
       If the `latest` tag is allowed for images, it is a good idea to have the
       imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future
       pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always`
       when the `latest` tag is specified explicitly or where a tag is not defined at all.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Enforce
   background: true
   rules:
   - name: imagepullpolicy-always
@@ -24,10 +25,12 @@ spec:
           kinds:
           - Pod
     validate:
-      message: >-
-        The imagePullPolicy must be set to `Always` when the tag `latest` is used.
-      pattern:
-        spec:
-          containers:
-          - (image): "*:latest | !*:*"
-            imagePullPolicy: "Always"
+      cel:
+        expressions:
+          - expression: >-
+              object.spec.containers.all(container, 
+              (container.image.endsWith(':latest') || !container.image.contains(':')) ? 
+              container.imagePullPolicy == 'Always' : true)
+            message: >-
+              The imagePullPolicy must be set to `Always` when the tag `latest` is used.
+