Required Image Label
No violationsstackroxlowbuilddeployAlert on deployments with images missing the specified label.
- Rationale
- Only images with the specified label should be deployed to ensure all deployments contain approved images.
- Remediation
- Request that the maintainer add the required label to the image.
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
- SOC 2 2017 TSC
- CC8.1
Generated artifacts
2 of 5 targets supportedrequired-image-label-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: requiredimagelabel
spec:
crd:
spec:
names:
kind: RequiredImageLabel
targets:
- target: admission.k8s.gatekeeper.sh
rego: |-
package main
violation[{"msg": msg}] {
obj := input.review.object
# rule 1
required := {"required-label.*"}
not obj.metadata.labels[required[_]]
msg := "[low] Required Image Label: Alert on deployments with images missing the specified label."
}
required-image-label-constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequiredImageLabel
metadata:
name: required-image-label
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
excludedNamespaces:
- kube-system
- istio-system
enforcementAction: warn
IR (canonical)
{
"id": "d3e480c1-c6de-4cd2-9006-9a3eb3ad36b6",
"name": "Required Image Label",
"description": "Alert on deployments with images missing the specified label.",
"rationale": "Only images with the specified label should be deployed to ensure all deployments contain approved images.",
"remediation": "Request that the maintainer add the required label to the image.",
"severity": "low",
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "required-image-label",
"values": [
"required-label.*=required-value.*"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "d3e480c1-c6de-4cd2-9006-9a3eb3ad36b6",
"name": "Required Image Label",
"description": "Alert on deployments with images missing the specified label.",
"rationale": "Only images with the specified label should be deployed to ensure all deployments contain approved images.",
"remediation": "Request that the maintainer add the required label to the image.",
"disabled": true,
"categories": [
"DevOps Best Practices",
"Security Best Practices"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Required Image Label",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "required-label.*=required-value.*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}