☑️ Ensure each container image has a pinned (tag) version

When an image tag is not descriptive (e.g. lacking the version tag like 1.19.8), every time that image is pulled, the version will be a different version and might break your code. Also, a non-descriptive image tag does not allow you to easily roll back (or forward) to different image versions. It is better to use concrete and meaningful tags such as version strings or an image SHA.

Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? True

Policy as code identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION

This rule will fail

If a container image has no image version or is using latest as its image tag version

YAML
YAML

Rule output in the CLI

Terminal

How to fix this failure

Each container image should have a pinned version tag or image ID (aka image SHA)

YAML
YAML

Read more