☑️ Ensure each container image has a pinned (tag) version
When an image tag is not descriptive (e.g. lacking the version tag like 1.19.8), every time that image is pulled, the version will be a different version and might break your code. Also, a non-descriptive image tag does not allow you to easily roll back (or forward) to different image versions. It is better to use concrete and meaningful tags such as version strings or an image SHA.
Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: easy (What does this mean?)
Policy as code identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION
This rule will fail
If a container image has no image version or is using latest as its image tag version
spec:
containers:
- name: app
image: nginx
spec:
containers:
- name: app
image: nginx:latest
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Ensure each container image has a pinned (tag) version [1 occurrence]
💡 Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future
How to fix this failure
Each container image should have a pinned version tag or image ID (aka image SHA)
spec:
containers:
- name: app
image: nginx:1.19.8
spec:
containers:
- name: app
image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23