Task Policy

These rules are applied to Tekton task definitions.

1. Tekton Task Step image policies

This package ensures that a Task definition contains expected values for the image references used by the Task’s steps.

  • Package name: step_image_registries

  • Package full path: policy.task.step_image_registries

1.1. Permitted step image registry prefix list provided

Confirm the allowed_step_image_registry_prefixes rule data was provided, since it’s required by the policy rules in this package.

Solution: Make sure the data sources contains a key 'allowed_step_image_registry_prefixes' that contains a list of approved registries that can be used to run tasks in the build pipeline.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: step_image_registries.step_image_registry_prefix_list_provided

  • Source

1.2. Step images come from permitted registry

Confirm that each step in the Task uses a container image with a URL that matches one of the prefixes in the provided list of allowed step image registry prefixes. The list is customizeable via the allowed_step_image_registry_prefixes rule data key.

Solution: Make sure the container image used in each step of the Task comes from an approved registry.

  • Rule type: FAILURE

  • FAILURE message: Step %d uses disallowed image ref '%s'

  • Code: step_image_registries.step_images_permitted

  • Source

2. Tekton Task annotations

Policies to verify that a Tekton Task definition uses well formed expected annotations .

  • Package name: annotation

  • Package full path: policy.task.annotation

2.1. Task definition uses expires-on annotation in RFC3339 format

Make sure to use the date format in RFC3339 format in the "build.appstudio.redhat.com/expires-on" annotation.

  • Rule type: FAILURE

  • FAILURE message: Expires on time is not in RFC3339 format: %q

  • Code: annotation.expires_on_format

  • Source

3. Tekton Task result

Verify Tekton Task definitions provide expected results.

  • Package name: results

  • Package full path: policy.task.results

3.1. Required result defined

Verify if Task defines the required result. This is controlled by the required_task_results rule data key. By default this is empty making this rule a no-op.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: results.required

  • Source

3.2. Rule data provided

Confirm the expected required_task_results rule data key has been provided in the expected format.

Solution: If provided, ensure the rule data is in the expected format.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: results.rule_data_provided

  • Source

4. Tekton task kind checks

Policies to verify that a Tekton task definition has the expected value for kind.

  • Package name: kind

  • Package full path: policy.task.kind

4.1. Kind field is present in task definition

Confirm the task definition includes the kind field.

  • Rule type: FAILURE

  • FAILURE message: Required field 'kind' not found

  • Code: kind.kind_present

  • Source

4.2. Task definition has expected kind

Confirm the task definition has the kind "Task".

  • Rule type: FAILURE

  • FAILURE message: Unexpected kind '%s' for task definition

  • Code: kind.expected_kind

  • Source

5. Trusted Artifacts Conventions

Policies to verify that a Tekton task definition conforms to the expected conventions required for using Trusted Artifacts.

  • Package name: trusted_artifacts

  • Package full path: policy.task.trusted_artifacts

5.1. Parameter

Trusted Artifact parameters follow the expected naming convention.

  • Rule type: FAILURE

  • FAILURE message: The parameter %q of the Task %q does not use the _ARTIFACT suffix

  • Code: trusted_artifacts.parameter

  • Source

5.2. Result

Trusted Artifact results follow the expected naming convention.

  • Rule type: FAILURE

  • FAILURE message: The result %q of the Task %q does not use the _ARTIFACT suffix

  • Code: trusted_artifacts.result

  • Source

5.3. Workspace

Tasks that implement the Trusted Artifacts pattern should not allow general purpose workspaces to share data. Instead, data should be passed around via Trusted Artifacts. Workspaces used for other purposes, e.g. provide auth credentials, are allowed. Use the rule data key allowed_trusted_artifacts_workspaces to specify which workspace names are allowed. By default this value is empty which effectively disallows any workspace.

  • Rule type: FAILURE

  • FAILURE message: General purpose workspace %q is not allowed

  • Code: trusted_artifacts.workspace

  • Effective from: 2024-07-07T00:00:00Z

  • Source