Task Policy
These rules are applied to Tekton task definitions.
1. Tekton Task Step image policies
This package ensures that a Task definition contains valid values for the image references used by the Task’s steps.
-
Package name:
step_images
1.1. Step images are valid
Confirm that each step in the Task uses a container image that is accessible.
Solution: Make sure the container image used in each step of the Task is pushed to the registry and that it can be fetched.
-
Rule type: FAILURE
-
FAILURE message:
Step %d uses inaccessible image ref '%s'
-
Code:
step_images.step_images_accessible
-
Effective from:
2025-01-10T00:00:00Z
2. Tekton Task Step image registry policies
This package ensures that a Task definition contains expected values for the image references used by the Task’s steps.
-
Package name:
step_image_registries
2.1. Permitted step image registry prefix list provided
Confirm the allowed_step_image_registry_prefixes
rule data was provided, since it’s required by the policy rules in this package.
Solution: Make sure the data sources contains a key 'allowed_step_image_registry_prefixes' that contains a list of approved registries that can be used to run tasks in the build pipeline.
-
Rule type: FAILURE
-
FAILURE message:
%s
-
Code:
step_image_registries.step_image_registry_prefix_list_provided
2.2. Step images come from permitted registry
Confirm that each step in the Task uses a container image with a URL that matches one of the prefixes in the provided list of allowed step image registry prefixes. The list is customizeable via the allowed_step_image_registry_prefixes
rule data key.
Solution: Make sure the container image used in each step of the Task comes from an approved registry.
-
Rule type: FAILURE
-
FAILURE message:
Step %d uses disallowed image ref '%s'
-
Code:
step_image_registries.step_images_permitted
3. Tekton Task annotations
Policies to verify that a Tekton Task definition uses well formed expected annotations .
-
Package name:
annotations
3.1. Task definition uses expires-on annotation in RFC3339 format
Make sure to use the date format in RFC3339 format in the "build.appstudio.redhat.com/expires-on" annotation.
-
Rule type: FAILURE
-
FAILURE message:
Expires on time is not in RFC3339 format: %q
-
Code:
annotations.expires_on_format
4. Tekton Task result
Verify Tekton Task definitions provide expected results.
-
Package name:
results
4.1. Required result defined
Verify if Task defines the required result. This is controlled by the required_task_results
rule data key. By default this is empty making this rule a no-op.
-
Rule type: FAILURE
-
FAILURE message:
%s
-
Code:
results.required
4.2. Rule data provided
Confirm the expected required_task_results
rule data key has been provided in the expected format.
Solution: If provided, ensure the rule data is in the expected format.
-
Rule type: FAILURE
-
FAILURE message:
%s
-
Code:
results.rule_data_provided
5. Tekton task kind checks
Policies to verify that a Tekton task definition has the expected value for kind.
-
Package name:
kind
5.1. Kind field is present in task definition
Confirm the task definition includes the kind field.
-
Rule type: FAILURE
-
FAILURE message:
Required field 'kind' not found
-
Code:
kind.kind_present
5.2. Task definition has expected kind
Confirm the task definition has the kind "Task".
-
Rule type: FAILURE
-
FAILURE message:
Unexpected kind '%s' for task definition
-
Code:
kind.expected_kind
6. Trusted Artifacts Conventions
Policies to verify that a Tekton task definition conforms to the expected conventions required for using Trusted Artifacts.
-
Package name:
trusted_artifacts
6.1. Parameter
Trusted Artifact parameters follow the expected naming convention.
-
Rule type: FAILURE
-
FAILURE message:
The parameter %q of the Task %q does not use the _ARTIFACT suffix
-
Code:
trusted_artifacts.parameter
6.2. Result
Trusted Artifact results follow the expected naming convention.
-
Rule type: FAILURE
-
FAILURE message:
The result %q of the Task %q does not use the _ARTIFACT suffix
-
Code:
trusted_artifacts.result
6.3. Workspace
Tasks that implement the Trusted Artifacts pattern should not allow general purpose workspaces to share data. Instead, data should be passed around via Trusted Artifacts. Workspaces used for other purposes, e.g. provide auth credentials, are allowed. Use the rule data key allowed_trusted_artifacts_workspaces
to specify which workspace names are allowed. By default this value is empty which effectively disallows any workspace.
-
Rule type: FAILURE
-
FAILURE message:
General purpose workspace %q is not allowed
-
Code:
trusted_artifacts.workspace
-
Effective from:
2024-07-07T00:00:00Z