Back to catalog

Required Image Label

No violationsstackroxlowbuilddeploy

Alert on deployments with images missing the specified label.

Rationale
Only images with the specified label should be deployed to ensure all deployments contain approved images.
Remediation
Request that the maintainer add the required label to the image.
CategoriesDevOps Best PracticesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1
SOC 2 2017 TSC
CC8.1

Generated artifacts

2 of 5 targets supported
required-image-label-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: requiredimagelabel
spec:
  crd:
    spec:
      names:
        kind: RequiredImageLabel
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |-
        package main


        violation[{"msg": msg}] {
          obj := input.review.object
          # rule 1
          required := {"required-label.*"}
            not obj.metadata.labels[required[_]]
          msg := "[low] Required Image Label: Alert on deployments with images missing the specified label."
        }
required-image-label-constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequiredImageLabel
metadata:
  name: required-image-label
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
    excludedNamespaces:
      - kube-system
      - istio-system
  enforcementAction: warn
IR (canonical)
{
  "id": "d3e480c1-c6de-4cd2-9006-9a3eb3ad36b6",
  "name": "Required Image Label",
  "description": "Alert on deployments with images missing the specified label.",
  "rationale": "Only images with the specified label should be deployed to ensure all deployments contain approved images.",
  "remediation": "Request that the maintainer add the required label to the image.",
  "severity": "low",
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "required-image-label",
    "values": [
      "required-label.*=required-value.*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "d3e480c1-c6de-4cd2-9006-9a3eb3ad36b6",
  "name": "Required Image Label",
  "description": "Alert on deployments with images missing the specified label.",
  "rationale": "Only images with the specified label should be deployed to ensure all deployments contain approved images.",
  "remediation": "Request that the maintainer add the required label to the image.",
  "disabled": true,
  "categories": [
    "DevOps Best Practices",
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Required Image Label",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "required-label.*=required-value.*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}