If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: imagepullpolicy-alwaysannotations:policies.kyverno.io/title: Require imagePullPolicy Alwayspolicies.kyverno.io/category: Samplepolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.spec:validationFailureAction: Auditbackground: truerules:- name: imagepullpolicy-alwaysmatch:any:- resources:kinds:- Podvalidate:message: The imagePullPolicy must be set to `Always` when the tag `latest` is used.pattern:spec:containers:- (image): "*:latest | !*:*"imagePullPolicy: Always
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.