Pipeline Policy

These rules are applied to Tekton pipeline definitions.

1. Pipeline definition Task bundle policies

To be able to reproduce and audit builds accurately it’s important to know exactly what happens during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks in a Pipeline definition are defined in task bundles, and that the task bundles are from the list of known and trusted bundles.

Package name: task_bundle
Package full path: policy.pipeline.task_bundle

1.1. Missing required data

Confirm the trusted_tasks rule data was provided, since it’s required by the policy rules in this package.

Rule type: FAILURE
FAILURE message: Missing required trusted_tasks data
Code: task_bundle.missing_required_data
Source

1.2. Task bundle is not trusted

For each Task in the Pipeline definition, check if the Tekton Bundle used is a trusted task.

Rule type: FAILURE
FAILURE message: Pipeline task '%s' uses an untrusted task bundle '%s'
Code: task_bundle.untrusted_task_bundle
Source

1.3. Task bundle is out of date

For each Task in the Pipeline definition, check if the Tekton Bundle used is the most recent.

Rule type: WARNING
WARNING message: Pipeline task '%s' uses an out of date task bundle '%s'
Code: task_bundle.out_of_date_task_bundle
Source

1.4. Task bundle reference is empty

Check that a valid task bundle reference is being used.

Rule type: FAILURE
FAILURE message: Pipeline task '%s' uses an empty bundle image reference
Code: task_bundle.empty_task_bundle_reference
Source

1.5. Task bundle was not used or is not defined

Check for the existence of a task bundle. This rule will fail if the task is not called from a bundle.

Rule type: FAILURE
FAILURE message: Pipeline task '%s' does not contain a bundle reference
Code: task_bundle.disallowed_task_reference
Source

1.6. Unpinned task bundle reference

Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinned to a digest.

Rule type: WARNING
WARNING message: Pipeline task '%s' uses an unpinned task bundle reference '%s'
Code: task_bundle.unpinned_task_bundle
Source

2. Pipeline definition sanity checks

Policies to confirm the Tekton Pipeline definition has the expected kind.

Package name: basic
Package full path: policy.pipeline.basic

2.1. Pipeline definition has expected kind

Confirm that the pipeline definition has the kind "Pipeline".

Rule type: FAILURE
FAILURE message: Unexpected kind '%s' for pipeline definition
Code: basic.expected_kind
Source

3. Required tasks

Konflux expects that certain Tekton tasks are executed during image builds. This package includes policy rules to confirm that the pipeline definition includes those required tasks.

Package name: required_tasks
Package full path: policy.pipeline.required_tasks