Deny specific image tag in the Tenant

[emanuelr93]

Describe the feature

A Tenant could just use a specific regex to validate image tag. The rule can be setted in Deny or Allowed mode.
This can be useful for example in Production Tenant.
For example:

• I want to disallow the usage of latest image in Production
• I want to allow only image with tag that use Semantic Version in production (eg. X.Y.Z)

Another use case would be to only allow the use of the Image Digest instead of the tag as best practices recommend.

How would the new interaction with Capsule look like?

1. setup a Validating Admission webhook for every Pod
2. retrieve the Tenant from the namespace indexer
3. check if the image tag match with rules on Tenant

Expected behavior

• if the Pod is running on a non-Capsule namespace, return Allowed without further actions
• if the Pod is running on a Capsule namespace with a non allowed tag, return Forbidden
• if the Pod is running on a Capsule namespace with an allowed tag, return Allowed

[prometherion]

Definitely, an interesting feature proposal.

I got just a single remark, here: this seems more a business logic that should be handled at CD level.
Although that could be implemented in the Tenant definition, I would say that additional custom checks could be added here.

What we're planning is to provide a programmable admission webhooks spec using the REGO DSL, and most of the actual logic (as the ones we're planning to implement) could be translated there.

But let's start the discussion, anyway: @bsctl what do you think about this?

[bsctl]

I would say leave it as part of #51.

[prometherion]

LGTM, let's close as you said but I'd like to thanks @emanuelr93 for your feature request: we're going to address when implementing natively OPA/Gatekeeper and I guess this validation can be a valid use case.