aceat64/reject-lastest-and-edge.yaml

## reject-lastest-and-edge.yaml
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
  name: "reject-lastest-and-edge"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: ["apps"]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["deployments"]
      - apiGroups: ["batch"]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["jobs"]
  validations:
    - expression: "object.spec.template.spec.containers.all(c, !c.image.endsWith(':edge'))"
      message: "containers images can not be :latest tag"
    - expression: "object.spec.template.spec.containers.all(c, !c.image.endsWith(':edge'))"
      message: "containers images can not be :edge tag"
---
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "reject-lastest-and-edge-binding"
spec:
  policyName: "reject-lastest-and-edge"
  matchResources:
    namespaceSelector: {}
	apiVersion: admissionregistration.k8s.io/v1alpha1
	kind: ValidatingAdmissionPolicy
	metadata:
	name: "reject-lastest-and-edge"
	spec:
	failurePolicy: Fail
	matchConstraints:
	resourceRules:
	- apiGroups: ["apps"]
	apiVersions: ["v1"]
	operations: ["CREATE", "UPDATE"]
	resources: ["deployments"]
	- apiGroups: ["batch"]
	apiVersions: ["v1"]
	operations: ["CREATE", "UPDATE"]
	resources: ["jobs"]
	validations:
	- expression: "object.spec.template.spec.containers.all(c, !c.image.endsWith(':edge'))"
	message: "containers images can not be :latest tag"
	- expression: "object.spec.template.spec.containers.all(c, !c.image.endsWith(':edge'))"
	message: "containers images can not be :edge tag"
	---
	apiVersion: admissionregistration.k8s.io/v1alpha1
	kind: ValidatingAdmissionPolicyBinding
	metadata:
	name: "reject-lastest-and-edge-binding"
	spec:
	policyName: "reject-lastest-and-edge"
	matchResources:
	namespaceSelector: {}