Pipeline Policy

These rules are applied to Tekton pipeline definitions.

1. Pipeline definition sanity checks

Policies to confirm the Tekton Pipeline definition has the expected kind.

  • Package name: basic

  • Package full path: policy.pipeline.basic

1.1. Pipeline definition has expected kind

Confirm that the pipeline definition has the kind "Pipeline".

  • Rule type: FAILURE

  • Failure message: Unexpected kind '%s' for pipeline definition

  • Code: basic.expected_kind

  • Source

2. Required tasks

RHTAP expects that certain Tekton tasks are executed during image builds. This package includes policy rules to confirm that the pipeline definition includes those required tasks.

  • Package name: required_tasks

  • Package full path: policy.pipeline.required_tasks

2.1. Pipeline contains tasks

Confirm at least one task is present in the pipeline definition.

  • Rule type: FAILURE

  • Failure message: No tasks found in pipeline

  • Code: required_tasks.tasks_found

  • Source

2.2. Required tasks found in pipeline definition

Produce a warning if a task list does not exist in the acceptable bundles rule data.

  • Rule type: WARNING

  • Warning message: Required tasks do not exist for pipeline %q

  • Code: required_tasks.required_tasks_found

  • Source

2.3. Missing required task

Ensure that the set of required tasks is included in the Pipeline definition.

  • Rule type: FAILURE

  • Failure message: %s is missing

  • Code: required_tasks.missing_required_task

  • Source

2.4. Missing future required task

Produce a warning when a task that will be required in the future is not currently included in the Pipeline definition.

  • Rule type: WARNING

  • Warning message: %s is missing and will be required in the future

  • Code: required_tasks.missing_future_required_task

  • Source

2.5. Required task list is present in rule data

Confirm the required-tasks rule data was provided, since it’s required by the policy rules in this package.

  • Rule type: FAILURE

  • Failure message: The required tasks list is missing from the rule data

  • Code: required_tasks.required_tasks_list_present

  • Source

3. Task bundle

To be able to reproduce and audit builds accurately it’s important to know exactly what happens during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks in a Pipeline definition are defined in task bundles, and that the task bundles are from the list of known and trusted bundles.

  • Package name: task_bundle

  • Package full path: policy.pipeline.task_bundle

3.1. Task bundle was not used or is not defined

Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.

  • Rule type: FAILURE

  • Failure message: Pipeline task '%s' does not contain a bundle reference

  • Code: task_bundle.disallowed_task_reference

  • Source

3.2. Task bundle reference is empty

Check that a valid task bundle reference is being used.

  • Rule type: FAILURE

  • Failure message: Pipeline task '%s' uses an empty bundle image reference

  • Code: task_bundle.empty_task_bundle_reference

  • Source

3.3. Unpinned task bundle reference

Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinned to a digest.

  • Rule type: WARNING

  • Warning message: Pipeline task '%s' uses an unpinned task bundle reference '%s'

  • Code: task_bundle.unpinned_task_bundle

  • Source

3.4. Task bundle is out of date

For each Task in the Pipeline definition, check if the Tekton Bundle used is the most recent acceptable bundle.

  • Rule type: WARNING

  • Warning message: Pipeline task '%s' uses an out of date task bundle '%s'

  • Code: task_bundle.out_of_date_task_bundle

  • Source

3.5. Task bundle is not acceptable

For each Task in the Pipeline definition, check if the Tekton Bundle used is an acceptable bundle given the tracked effective_on date.

  • Rule type: FAILURE

  • Failure message: Pipeline task '%s' uses an unacceptable task bundle '%s'

  • Code: task_bundle.unacceptable_task_bundle

  • Source

3.6. Missing required data

Confirm the task-bundles rule data was provided, since it’s required by the policy rules in this package.

  • Rule type: FAILURE

  • Failure message: Missing required task-bundles data

  • Code: task_bundle.missing_required_data

  • Source