<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Govern Your Image Tags with a Policy

DevOps Kubernetes Policies
Govern Your Image Tags with a Policy
DevOps Kubernetes Policies


Setting image tags is a core feature of your pod spec. Not setting this in your manifest can lead to nightmarish situations. If we take it a step further, simply adding a tag isn’t quite enough. How can you be sure that these values are set using any value except latest, across all of your Kubernetes clusters?

How Magalix Helps?

By default, Magalix KubeAdvisor comes equipped with a governance policy that detects whether or not an image tag is set, and whether or not that tag is latest. Magalix, alongside Kubernetes documentation, recommends not using latest for your container image tags to avoid some undesired behavior depending on how your image tagging is set up.

Identifying the Issue

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.You’ll be brought to the Issues Dashboard. The first thing you’ll notice are donut graphs enumerating the total number of Advisor violations, the total number of Advisors, as well as a breakdown for each Advisor in violation.

As you scroll down the page, locate image_tags_enforce. In our example, we can see that we have some entities in violation.

Issue Page

If you click on the issue, you will be presented with the entities that are out of compliance for this particular Advisor, along with a brief description of the image_tags_enforce policy.

Recommendation Page

1. Image_tag_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays a snapshot of your manifest so you can reference where the problem is. In our case, we can see here that our demoservice doesn’t have a tag at all, which violates the Advisor.

4. Resolution

Based on the resolution provided, it looks like we should add a tag to our image.

5. History

At the bottom of the page, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.


Configuring an image tag is good practice. Not setting it to latest is best practice. Explicitly setting the image tag to something other than latest will ensure you are deploying the version of the container you want without having to solve any mysteries. In production, being particular may be the difference between a working backend, or an unhappy end-user.

We recommend coupling this policy with the imagePullPolicy as the pair of policies are typically used together to construct your desired behavior. You can also review our other default policies to help maintain control of your environment.

Check your Cluster's Compliance with Magalix for FREE 


Get Started


Comments and Responses

Related Articles

Product In-Depth: Enforce Policies and Standards from a Single Console

Magalix provides a single management interface to control, enforce and visualize the state of compliance for all of your clusters.

Read more
Product In-Depth: Centralized Policy Management

achieving DevSecOps isn’t as difficult as you may have been led to believe. Interested in learning more about how to start resolving violations in minutes

Read more
Product In Depth: Detailed Violation Analysis

Security, compliance, and governance are not just one-time events that happen every so often. Managing a compliant environment is a 24x7 operation.

Read more