Enforces that every container is using an image which references a specific version.
It also prevents using the latest
tag, which by convention is overwritten when pushing a newer image version.
Note that this policy is part of the following security standards:
bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A6apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
- image: nginx
+ image: nginx:1.19.8
ports:
- containerPort: 80
securitytower.io/policy.exclusion.enforceimageversion
as on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.enforceimageversion: |- The image vendor provides the image only with the tag "latest". ...