🏷️ Prohibit the use of the "latest" tag across component Docker images

ndebuhr · ndebuhr · commit aa6d5a030a3e · 2021-07-30T04:05:28.000Z
diff --git a/helm/templates/policy-latest-tag.yaml b/helm/templates/policy-latest-tag.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: DisallowedTags
+metadata:
+  name: container-image-must-not-have-latest-tag
+spec:
+  match:
+    kinds:
+    - apiGroups: [""]
+      kinds: ["Pod"]
+    namespaces:
+    - "cloud-native-workstation"
+  parameters:
+    tags: ["latest"]
diff --git a/kubernetes/constraint-templates.yaml b/kubernetes/constraint-templates.yaml
@@ -93,4 +93,44 @@ spec:
           container := input.review.object.spec[field][_]
           missing(container.resources.limits, "memory")
           msg := sprintf("container <%v> has no memory limit", [container.name])
+        }
+---
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: disallowedtags
+spec:
+  crd:
+    spec:
+      names:
+        kind: DisallowedTags
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            tags:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package disallowedtags
+        violation[{"msg": msg}] {
+          container := input_containers[_]
+          tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
+          any(tags)
+          msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
+        }
+        violation[{"msg": msg}] {
+          container := input_containers[_]
+          tag := [contains(container.image, ":")]
+          not all(tag)
+          msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
+        }
+        input_containers[c] {
+          c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+          c := input.review.object.spec.initContainers[_]
         }
diff --git a/opa/gatekeeper.sh b/opa/gatekeeper.sh
@@ -14,9 +14,11 @@ do
     deploymentselector=$?
     kubectl get resourcelimit 2> /dev/null
     resourcelimit=$?
+    kubectl get disallowedtags 2> /dev/null
+    disallowedtags=$?
     # Exit code 0 means there were no resources found (desired behavior)
     # Before CRD registration, the exit code for the get commands is 1
-    if [ $requiredlabels -ne 0 ] || [ $deploymentselector -ne 0 ] ||  [ $resourcelimit -ne 0 ]
+    if [ $requiredlabels -ne 0 ] || [ $deploymentselector -ne 0 ] ||  [ $resourcelimit -ne 0 ] || [ $disallowedtags -ne 0 ]
     then
         echo "Constraint Template CRDs: Still creating..."
         sleep 5
@@ -32,4 +34,5 @@ set -x
 kubectl get requiredlabels
 kubectl get deploymentselector
 kubectl get resourcelimit
+kubectl get disallowedtags
 exit 3
