Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
Setting image tags is a core feature of your pod spec. Not setting this in your manifest can lead to nightmarish situations. If we take it a step further, simply adding a tag isn’t quite enough. How can you be sure that these values are set using any value except latest, across all of your Kubernetes clusters?
By default, Magalix KubeAdvisor comes equipped with a governance policy that detects whether or not an image tag is set, and whether or not that tag is latest. Magalix, alongside Kubernetes documentation, recommends not using latest for your container image tags to avoid some undesired behavior depending on how your image tagging is set up.
When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.You’ll be brought to the Issues Dashboard. The first thing you’ll notice are donut graphs enumerating the total number of Advisor violations, the total number of Advisors, as well as a breakdown for each Advisor in violation.
As you scroll down the page, locate
image_tags_enforce. In our example, we can see that we have some entities in violation.
If you click on the issue, you will be presented with the entities that are out of compliance for this particular Advisor, along with a brief description of the
At the top of the page you will see which policy has been violated, along with the entity type.
This gives you a brief overview of what the policy is about.
As a part of the violation, Magalix KubeAdvisor displays a snapshot of your manifest so you can reference where the problem is. In our case, we can see here that our demoservice doesn’t have a tag at all, which violates the Advisor.
Based on the resolution provided, it looks like we should add a tag to our image.
At the bottom of the page, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.
Configuring an image tag is good practice. Not setting it to latest is best practice. Explicitly setting the image tag to something other than latest will ensure you are deploying the version of the container you want without having to solve any mysteries. In production, being particular may be the difference between a working backend, or an unhappy end-user.
We recommend coupling this policy with the
imagePullPolicy as the pair of policies are typically used together to construct your desired behavior. You can also review our other default policies to help maintain control of your environment.
Check your Cluster's Compliance with Magalix for FREE
Prevent Kubernetes NetworkPolicy misconfigurations by enforcing policy as code