Enforce Image Version 1.1.3

Enforces that every container is using an image which references a specific version. It also prevents using the latest tag, which by convention is overwritten when pushing a newer image version.


Note that this policy is part of the following security standards:

  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A6
  • Images
  • Security
  • bsi/containerization

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
-         image: nginx
+         image: nginx:1.19.8
          ports:
            - containerPort: 80

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforceimageversion as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforceimageversion: |-
      The image vendor provides the image only with the tag "latest".
...