kind: ConfigMap apiVersion: v1 metadata: name: deployment-valid-image-version namespace: opa labels: app: opa owner: jimmy openpolicyagent.org/policy: rego data: main: | package kubernetes.admission import data.lib.k8s.helpers as helpers deny[msg] { helpers.request_kind = "Deployment" helpers.allowed_operations[helpers.request_operation] image = helpers.deployment_containers[_].image invalid_image_version(image) msg = sprintf("%q: %q container image \"latest\" tag/version is not allowed. Resource ID (ns/name/kind): %q", [helpers.deployment_error,image,helpers.request_id]) } invalid_image_version(image) { not contains(image, ":") } invalid_image_version(image) { contains(image, "latest") }