Template 11: Kyverno Disallow Latest Tag

Overview

This template deploys a Kyverno ClusterPolicy that rejects any pod using the :latest image tag. The :latest tag is mutable — a registry can silently replace the underlying image at any time. This policy enforces that all containers, init containers, and ephemeral containers use explicit version tags or SHA256 digests.

Security threat addressed: Mutable tags allow supply chain attacks where an attacker overwrites a trusted image tag with a malicious version. All future deployments pull the compromised image without any change to the manifests.

When to use: Deploy this as one of the first admission control policies in every cluster. It catches a common anti-pattern that creates both security and reliability risks.

Threat Model

Supply chain integrity: Explicit version tags or SHA digests ensure you deploy exactly the image you tested, not a silently replaced version.
Reproducibility: Pinned versions make deployments deterministic, enabling reliable rollbacks and audit trails.
Tag mutability attacks: An attacker who gains access to your container registry can replace :latest with a backdoored image.

MITRE ATT&CK:

T1610 — Deploy Container: Mutable tags allow silent image replacement in the registry. Pinned versions prevent this.

Real-world scenario: An attacker compromises your CI/CD pipeline and pushes a backdoored image tagged as :latest. All pods that restart or scale up pull the compromised image. With this policy, only explicitly versioned images are allowed.

YAML Source

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
  annotations:
    policies.kyverno.io/title: Disallow Latest Tag
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      The ':latest' tag is mutable and can lead to unpredictable behavior.
      This policy ensures that all images use a specific tag or digest.
spec:
  validationFailureAction: enforce
  background: true
  rules:
  - name: validate-image-tag
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Using the ':latest' tag is not allowed. Please specify a version."
      pattern:
        spec:
          containers:
          - image: "!*:latest"
# ... truncated -- get full template with init/ephemeral container rules at k8s-security.pro/pricing

Get the complete template with initContainer and ephemeralContainer rules, plus Kyverno installation guide in the Professional tier.

Installation

kubectl:

# Install Kyverno first (if not already installed)
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# Apply the policy
kubectl apply -f 11_kyverno_disallow_latest_tag.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Verify Kyverno is running
kubectl get pods -n kyverno

# Check the policy is active
kubectl get clusterpolicy disallow-latest-tag

# Test that :latest is blocked
kubectl run test-latest --image=nginx:latest --restart=Never
# Expected: Error from server: admission webhook denied the request

# Test that versioned tags work
kubectl run test-versioned --image=nginx:1.25.3 --restart=Never
# Expected: pod/test-versioned created

CIS Benchmark References

5.7.3 — Ensure that image tags are pinned to a specific version. This policy directly enforces version pinning.
5.2.1 — Ensure that admission control policies are in place. Kyverno satisfies this requirement as an admission controller.

MITRE ATT&CK References

T1610 — Deploy Container: Mutable tags (:latest) allow attackers to silently replace images in the registry. This policy forces explicit versions, making image substitution detectable.

Kyverno Disallow Latest Tag