diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml index e19c69e2e..ec227dcc3 100644 --- a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml +++ b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml @@ -21,7 +21,7 @@ spec: containers: - name: nginx image: nginx:latest - + imagePullPolicy: "IfNotPresent" --- apiVersion: apps/v1 kind: Deployment @@ -40,6 +40,7 @@ spec: containers: - name: nginx image: nginx + imagePullPolicy: "IfNotPresent" ports: - containerPort: 80 diff --git a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml index a88ed1308..7c04e41cf 100644 --- a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml +++ b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml @@ -1,21 +1,23 @@ -name: imagepullpolicy-always +name: imagepullpolicy-always-cel version: 1.0.0 -displayName: Require imagePullPolicy Always -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Require imagePullPolicy Always in CEL expressions description: >- If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/imagepullpolicy-always/imagepullpolicy-always.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d +digest: b832c5d39491ce78d88a33596b2706b5448616d034b5b438b9974d07b58d875e +createdAt: "2024-04-03T17:41:38Z" diff --git a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml index 874c8ce01..5ef755b8e 100644 --- a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml +++ b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -3,18 +3,19 @@ kind: ClusterPolicy metadata: name: imagepullpolicy-always annotations: - policies.kyverno.io/title: Require imagePullPolicy Always - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. spec: - validationFailureAction: audit + validationFailureAction: Enforce background: true rules: - name: imagepullpolicy-always @@ -24,10 +25,12 @@ spec: kinds: - Pod validate: - message: >- - The imagePullPolicy must be set to `Always` when the tag `latest` is used. - pattern: - spec: - containers: - - (image): "*:latest | !*:*" - imagePullPolicy: "Always" \ No newline at end of file + cel: + expressions: + - expression: >- + object.spec.containers.all(container, + (container.image.endsWith(':latest') || !container.image.contains(':')) ? + container.imagePullPolicy == 'Always' : true) + message: >- + The imagePullPolicy must be set to `Always` when the tag `latest` is used. +