All Policies

Require Images Use Checksums in CEL expressions

Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags.

Policy Definition

/other-cel/require-image-checksum/require-image-checksum.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-image-checksum
 5  annotations:
 6    policies.kyverno.io/title: Require Images Use Checksums in CEL expressions
 7    policies.kyverno.io/category: Sample in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Use of a SHA checksum when pulling an image is often preferable because tags
14      are mutable and can be overwritten. This policy checks to ensure that all images
15      use SHA checksums rather than tags.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: require-image-checksum
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26          operations:
27          - CREATE
28          - UPDATE
29    validate:
30      cel:
31        expressions:
32          - expression: "object.spec.containers.all(container, container.image.contains('@'))"
33            message: "Images must use checksums rather than tags."
Create policy issue