If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: imagepullpolicy-alwaysannotations:policies.kyverno.io/title: Require imagePullPolicy Alwayspolicies.kyverno.io/category: Samplepolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.spec:validationFailureAction: Auditbackground: truerules:- name: imagepullpolicy-alwaysmatch:any:- resources:kinds:- Podvalidate:message: The imagePullPolicy must be set to `Always` when the tag `latest` is used.pattern:spec:containers:- (image): "*:latest | !*:*"imagePullPolicy: Always
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.