Block Stale Images

Images that are old usually have some open security vulnerabilities which are not patched. This policy checks the contents of every container image and inspects them for the create time. If it finds any image which was built more than 6 months ago this policy blocks the deployment.

Policy Definition

/other/block_stale_images/block-stale-images.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-stale-images
 5  annotations:
 6    policies.kyverno.io/title: Block Stale Images
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Images that are old usually have some open security vulnerabilities which are not patched.
15      This policy checks the contents of every container image and inspects them for the create time.
16      If it finds any image which was built more than 6 months ago this policy blocks the deployment.      
17spec:
18  validationFailureAction: audit 
19  rules:
20    - name: block-stale-images
21      match:
22        any:
23        - resources:
24            kinds:
25            - Pod
26      validate:
27        message: "Images built more than 6 months ago are prohibited."
28        foreach:
29        - list: "request.object.spec.containers"
30          context:
31          - name: imageData
32            imageRegistry:
33              reference: "{{ element.image }}"
34          deny:
35            conditions:
36              all:
37                - key: "{{ time_since('', '{{ imageData.configData.created }}', '') }}"
38                  operator: GreaterThan
39                  value: 4380h

Create policy issue