<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Magalix Introduces the Cloud-Native Application Policy Pack

Exit icon Learn More

Govern Your Image Tags with a Policy

DevOps Kubernetes Policies
Govern Your Image Tags with a Policy
DevOps Kubernetes Policies


Setting image tags is a core feature of your pod spec. Not setting this in your manifest can lead to nightmarish situations. If we take it a step further, simply adding a tag isn’t quite enough. How can you be sure that these values are set using any value except latest, across all of your Kubernetes clusters?

How Magalix Helps?

By default, Magalix KubeAdvisor comes equipped with a governance policy that detects whether or not an image tag is set, and whether or not that tag is latest. Magalix, alongside Kubernetes documentation, recommends not using latest for your container image tags to avoid some undesired behavior depending on how your image tagging is set up.

Identifying the Issue

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.Govern Your Image Tags with a PolicyYou’ll be brought to the Issues Dashboard. The first thing you’ll notice are donut graphs enumerating the total number of Advisor violations, the total number of Advisors, as well as a breakdown for each Advisor in violation.

As you scroll down the page, locate image_tags_enforce. In our example, we can see that we have some entities in violation.

Issue PageGovern Your Image Tags with a Policy

If you click on the issue, you will be presented with the entities that are out of compliance for this particular Advisor, along with a brief description of the image_tags_enforce policy.

Recommendation PageGovern Your Image Tags with a Policy

1. Image_tag_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays a snapshot of your manifest so you can reference where the problem is. In our case, we can see here that our demoservice doesn’t have a tag at all, which violates the Advisor.

4. Resolution

Based on the resolution provided, it looks like we should add a tag to our image.

5. History

At the bottom of the page, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.


Configuring an image tag is good practice. Not setting it to latest is best practice. Explicitly setting the image tag to something other than latest will ensure you are deploying the version of the container you want without having to solve any mysteries. In production, being particular may be the difference between a working backend, or an unhappy end-user.

We recommend coupling this policy with the imagePullPolicy as the pair of policies are typically used together to construct your desired behavior. You can also review our other default policies to help maintain control of your environment.

Check your Cluster's Compliance with Magalix for FREE 


Get Started


Comments and Responses

Related Articles

7 Notable and Costly Security Breaches

Learn some notable security breaches that happened a few years ago, the root causes, and how Magalix can help protect your Kubernetes infrastructure

Read more
Security Context Settings Help Mitigate Kubernetes Risk

Kubernetes isn't secure by default and is attacked relentlessly. But security context settings help DevOps teams better secure their pods and containers.

Read more
DevOps Policy as Code
Cloud Data Asset Management and Tagging Cloud Resources

Learn how cloud data asset management enables organizations to manage, optimize and secure their cloud data assets and resource tagging is a key part of it

Read more