<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Learn the 3 Key Elements to Successfully Shifting your Security Left - Live Webinar

Exit icon Register Now

Govern Your Image Tags with a Policy

DevOps Kubernetes Policies
Govern Your Image Tags with a Policy
DevOps Kubernetes Policies


Setting image tags is a core feature of your pod spec. Not setting this in your manifest can lead to nightmarish situations. If we take it a step further, simply adding a tag isn’t quite enough. How can you be sure that these values are set using any value except latest, across all of your Kubernetes clusters?

How Magalix Helps?

By default, Magalix KubeAdvisor comes equipped with a governance policy that detects whether or not an image tag is set, and whether or not that tag is latest. Magalix, alongside Kubernetes documentation, recommends not using latest for your container image tags to avoid some undesired behavior depending on how your image tagging is set up.

Identifying the Issue

When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.You’ll be brought to the Issues Dashboard. The first thing you’ll notice are donut graphs enumerating the total number of Advisor violations, the total number of Advisors, as well as a breakdown for each Advisor in violation.

As you scroll down the page, locate image_tags_enforce. In our example, we can see that we have some entities in violation.

Issue Page

If you click on the issue, you will be presented with the entities that are out of compliance for this particular Advisor, along with a brief description of the image_tags_enforce policy.

Recommendation Page

1. Image_tag_enforce

At the top of the page you will see which policy has been violated, along with the entity type.

2. Description

This gives you a brief overview of what the policy is about.

3. Evidence

As a part of the violation, Magalix KubeAdvisor displays a snapshot of your manifest so you can reference where the problem is. In our case, we can see here that our demoservice doesn’t have a tag at all, which violates the Advisor.

4. Resolution

Based on the resolution provided, it looks like we should add a tag to our image.

5. History

At the bottom of the page, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.


Configuring an image tag is good practice. Not setting it to latest is best practice. Explicitly setting the image tag to something other than latest will ensure you are deploying the version of the container you want without having to solve any mysteries. In production, being particular may be the difference between a working backend, or an unhappy end-user.

We recommend coupling this policy with the imagePullPolicy as the pair of policies are typically used together to construct your desired behavior. You can also review our other default policies to help maintain control of your environment.

Check your Cluster's Compliance with Magalix for FREE 


Get Started


Comments and Responses

Related Articles

How Shifting Left Helps Organizations Mitigate Cloud-Native Security Risks

By shifting-left, organizations are instilling security measures into the DevOps workflows, not just at the tail-end of the process. Shift-left now for a more agile, friction-free & secure environment

Read more
Breaking Down the Complexity of Cloud Native Security for Leadership

Securing Cloud-Native applications can be complex because of the volume of skills and knowledge required

Read more
Securing Cloud-Native Applications is the New Foundation to Digital Transformation Success

Security can no longer remain on its own independent island & must be incorporated into the rest of the stack in to maintain a hardened infrastructure

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get Started View Pricing
No Card Required